Python subprocess.run in secure way

4.1k views Asked by At

My Python script has to run binary available only via console, so I use subprocess.run and it looks like this:

CMD = [
    "C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe",
    "/gd",
    f"[{ARGS.projectName}]\\{ARGS.groupName}",
    f"/collection:{ARGS.organization}",
]

DELETE_OUTPUT = subprocess.run(
    CMD, check=True, stdout=subprocess.PIPE, shell=True
).stdout.decode("utf-8")

print(f"[DEBUG] DELETE_OUTPUT: {DELETE_OUTPUT}")

It works fine, but Bandit reports some issues:

[B404:blacklist] Consider possible security implications associated with subprocess module.

[B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue

Is there a way to run CLI in the more secure way to make Bandit happy?

0

There are 0 answers