-
-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shell injection #4
Comments
@AHReccese Please take a look at this issue. |
@sepandhaghighi 0- Check input is a valid file path with proper sound-associated format(such as mp3 and ...) By using For example, consider the following code: import subprocess
# user_input is untrusted input from the user
user_input = "hello; rm -rf /"
subprocess.check_call(f"echo {user_input}") If the user enters the string "hello; rm -rf /", this code will execute the following command: echo hello; rm -rf / However, if we modify the code to use shlex.quote() to escape the user input like this: import shlex
import subprocess
# user_input is untrusted input from the user
user_input = "hello; rm -rf /"
subprocess.check_call(f"echo {shlex.quote(user_input)}") Then the echo command will receive the escaped string as an argument, like this: echo 'hello; rm -rf /'
The difference between the two functions lies in how they handle errors.
So, why use One reason is that Another reason is that Finally, Overall, |
@AHReccese Thanks for your effort 🔥
SH |
check sound file existance added quote the file path in a decorator pattern manner associated docstrings added
* Fix Shell injection issue (#4) check sound file existance added quote the file path in a decorator pattern manner associated docstrings added * quote and path_check decorator as a function added nava params renamed associated docstrings updated * requested changes applied * requested changes applied * requested changes applied
@sadrasabouri @sepandhaghighi |
We will close it after |
Description
We use
subprocess
to play sound in Linux and macOS (__play_linux
and__play_mac
functions) so we should prevent possible shell injections fromsound_path
.@input_check
)sound_path
should be a pathThe text was updated successfully, but these errors were encountered: