Skip to content

Security: Remove shell=True to prevent command injection (Fix #261) #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pradeeban merged 2 commits into from
Feb 14, 2026
Merged

Security: Remove shell=True to prevent command injection (Fix #261) #293

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b864b4
Security: Fix command injection in /contribute and /library endpoints…
GaneshPatil7517 Feb 12, 2026
3bc84bc
Address review comments: improve validation and Windows compatibility
GaneshPatil7517 Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 54 additions & 9 deletions fri/server/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,22 @@
from pathlib import Path
import json
import platform
import re
from flask_cors import CORS, cross_origin

# Input validation pattern for safe names (alphanumeric, dash, underscore, slash, dot, space)
SAFE_INPUT_PATTERN = re.compile(r'^[a-zA-Z0-9_\-/. ]+$')

def validate_input(value, field_name):
"""Validate that input contains only safe characters."""
if value is None:
return True
if not isinstance(value, str):
raise ValueError(f"Invalid {field_name}: must be a string")
if len(value) > 0 and not SAFE_INPUT_PATTERN.match(value):
raise ValueError(f"Invalid {field_name}: contains unsafe characters")
return True
Comment thread
GaneshPatil7517 marked this conversation as resolved.
Outdated

cur_path = os.path.dirname(os.path.abspath(__file__))
concore_path = os.path.abspath(os.path.join(cur_path, '../../'))

Expand Down Expand Up @@ -304,14 +318,24 @@ def contribute():
STUDY_NAME = data.get('study')
STUDY_NAME_PATH = data.get('path')
BRANCH_NAME = data.get('branch')

# Validate all user inputs to prevent command injection
validate_input(STUDY_NAME, 'study')
validate_input(STUDY_NAME_PATH, 'path')
validate_input(AUTHOR_NAME, 'auth')
validate_input(BRANCH_NAME, 'branch')
validate_input(PR_TITLE, 'title')
validate_input(PR_BODY, 'desc')

Comment thread
GaneshPatil7517 marked this conversation as resolved.
Outdated
if(platform.uname()[0]=='Windows'):
proc=check_output(["contribute",STUDY_NAME,STUDY_NAME_PATH,AUTHOR_NAME,BRANCH_NAME,PR_TITLE,PR_BODY],cwd=concore_path,shell=True)
proc = subprocess.run(["contribute",STUDY_NAME,STUDY_NAME_PATH,AUTHOR_NAME,BRANCH_NAME,PR_TITLE,PR_BODY],cwd=concore_path,check=True,capture_output=True,text=True)
Comment thread
GaneshPatil7517 marked this conversation as resolved.
Outdated
output_string = proc.stdout
else:
if len(BRANCH_NAME)==0:
proc = check_output([r"./contribute",STUDY_NAME,STUDY_NAME_PATH,AUTHOR_NAME],cwd=concore_path)
else:
proc = check_output([r"./contribute",STUDY_NAME,STUDY_NAME_PATH,AUTHOR_NAME,BRANCH_NAME,PR_TITLE,PR_BODY],cwd=concore_path)
output_string = proc.decode()
output_string = proc.decode()
status=200
if output_string.find("/pulls/")!=-1:
status=200
Expand All @@ -320,6 +344,11 @@ def contribute():
else:
status=400
return jsonify({'message': output_string}),status
except ValueError as e:
return jsonify({'message': str(e)}), 400
except subprocess.CalledProcessError as e:
output_string = e.stderr if hasattr(e, 'stderr') and e.stderr else "Command execution failed"
Comment thread
GaneshPatil7517 marked this conversation as resolved.
Outdated
return jsonify({'message': output_string}), 501
except Exception as e:
output_string = "Some Error occured.Please try after some time"
status=501
Expand Down Expand Up @@ -365,18 +394,34 @@ def library(dir):
dir_path = os.path.abspath(os.path.join(concore_path, dir_name))
filename = request.args.get('filename')
library_path = request.args.get('path')

# Validate user inputs to prevent command injection
try:
validate_input(filename, 'filename')
validate_input(library_path, 'path')
Comment thread
GaneshPatil7517 marked this conversation as resolved.
Outdated
except ValueError as e:
resp = jsonify({'message': str(e)})
resp.status_code = 400
return resp

proc = 0
if (library_path == None or library_path == ''):
library_path = r"../tools"
if(platform.uname()[0]=='Windows'):
proc = subprocess.check_output([r"..\library", library_path, filename],shell=True, cwd=dir_path)
else:
proc = subprocess.check_output([r"../library", library_path, filename], cwd=dir_path)
if(proc != 0):
resp = jsonify({'message': proc.decode("utf-8")})
try:
if(platform.uname()[0]=='Windows'):
result = subprocess.run([r"..\library", library_path, filename], cwd=dir_path, check=True, capture_output=True, text=True)
proc = result.stdout
else:
proc = subprocess.check_output([r"../library", library_path, filename], cwd=dir_path)
proc = proc.decode("utf-8")
Comment thread
GaneshPatil7517 marked this conversation as resolved.
resp = jsonify({'message': proc})
resp.status_code = 201
return resp
else:
except subprocess.CalledProcessError as e:
resp = jsonify({'message': 'Command execution failed'})
Comment thread
GaneshPatil7517 marked this conversation as resolved.
Outdated
resp.status_code = 500
return resp
except Exception as e:
resp = jsonify({'message': 'There is an Error'})
resp.status_code = 500
return resp
Expand Down
Loading