fix: use subprocess instead of os.system in checkPackageRuning.py#35172
Open
orbisai0security wants to merge 10000 commits intotaosdata:developfrom
Open
fix: use subprocess instead of os.system in checkPackageRuning.py#35172orbisai0security wants to merge 10000 commits intotaosdata:developfrom
orbisai0security wants to merge 10000 commits intotaosdata:developfrom
Conversation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix critical severity security issue in
packaging/checkPackageRuning.py.Vulnerability
V-004packaging/checkPackageRuning.py:50Description: The serverHost variable is interpolated directly into os.system() shell command strings at lines 50, 90, and 94 of checkPackageRuning.py using Python's % string formatting. os.system() passes the resulting string to /bin/sh, which interprets shell metacharacters. If serverHost is sourced from an environment variable, configuration file, or command-line argument without sanitization, an attacker can inject arbitrary shell commands that execute with the full privileges of the packaging script.
Changes
packaging/checkPackageRuning.pyVerification
Automated security fix by OrbisAI Security