Fix critical security issues. (#301)

* Fix critical security issues. * Fix critical security issues. * Fix critical security issues.
biothings · Oct 18, 2023 · adc7b72 · adc7b72
1 parent ebe24dc
commit adc7b72
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/biothings/utils/version.py b/biothings/utils/version.py
@@ -18,7 +18,7 @@
 def get_python_version():
     """Get a list of python packages installed and their versions."""
     try:
-        output = check_output(f'{sys.executable or "python3"} -m pip list', shell=True, stderr=DEVNULL)
+        output = check_output([sys.executable or "python3", "-m", "pip", "list"], stderr=DEVNULL)
         return output.decode("utf-8").replace("\r", "").split("\n")[2:-1]
     except Exception:
         return []

diff --git a/setup.py b/setup.py
@@ -17,13 +17,15 @@ def read(fname):
 # version gets set to MAJOR.MINOR.# commits on master branch if installed from pip repo
 # otherwise to MAJOR.MINOR.MICRO as defined in biothings.version
 try:
-    NUM_COMMITS = check_output("git rev-list --count master", shell=True).strip().decode("utf-8")
+    command = ["git", "rev-list", "--count", "master"]
+    NUM_COMMITS = check_output(command).strip().decode("utf-8")
 except CalledProcessError:
     NUM_COMMITS = ""
 
 # Calculate commit hash, should fail if installed from source or from pypi
 try:
-    COMMIT_HASH = check_output("git rev-parse HEAD", shell=True).strip().decode("utf-8")
+    command = ["git", "rev-parse", "HEAD"]
+    COMMIT_HASH = check_output(command).strip().decode("utf-8")
 except CalledProcessError:
     COMMIT_HASH = ""