Skip to content

fix: use subprocess instead of os.system in checkPackageRuning.py#35172

Open
orbisai0security wants to merge 10000 commits intotaosdata:developfrom
orbisai0security:fix-fix-v004-shell-injection-checkpackageruning
Open

fix: use subprocess instead of os.system in checkPackageRuning.py#35172
orbisai0security wants to merge 10000 commits intotaosdata:developfrom
orbisai0security:fix-fix-v004-shell-injection-checkpackageruning

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Apr 17, 2026

Summary

Fix critical severity security issue in packaging/checkPackageRuning.py.

Vulnerability

Field Value
ID V-004
Severity CRITICAL
Scanner multi_agent_ai
Rule V-004
File packaging/checkPackageRuning.py:50

Description: The serverHost variable is interpolated directly into os.system() shell command strings at lines 50, 90, and 94 of checkPackageRuning.py using Python's % string formatting. os.system() passes the resulting string to /bin/sh, which interprets shell metacharacters. If serverHost is sourced from an environment variable, configuration file, or command-line argument without sanitization, an attacker can inject arbitrary shell commands that execute with the full privileges of the packaging script.

Changes

  • packaging/checkPackageRuning.py

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 6 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

from community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.