Harden subprocess calls in bulk_generate_mad.py against command injection

[Copilot]

Strengthens subprocess usage in build_database function to prevent command injection vulnerabilities through explicit security controls and input validation.

Changes

• Input validation: Whitelist language parameter against known CodeQL languages (cpp, csharp, go, java, javascript, python, ruby, rust, swift); validate extractor_options as string-only iterable
• Explicit security: Set shell=False explicitly in all subprocess calls (build_database, clone_project, gitroot)
• Documentation: Add security expectations docstring and inline comments referencing OWASP/Python subprocess best practices

Example

Before:

def build_database(language: str, extractor_options, project: Project, project_dir: str):
    subprocess.check_call([
        "codeql", "database", "create",
        f"--language={language}",
        *extractor_options,
        database_dir,
    ])

After:

def build_database(language: str, extractor_options, project: Project, project_dir: str):
    SUPPORTED_LANGUAGES = {"cpp", "csharp", "go", "java", ...}
    if language not in SUPPORTED_LANGUAGES:
        raise ValueError(f"Unsupported language '{language}'")
    
    extractor_options_list = list(extractor_options)
    for opt in extractor_options_list:
        if not isinstance(opt, str):
            raise ValueError("All extractor options must be strings")
    
    subprocess.check_call([
        "codeql", "database", "create",
        f"--language={language}",
        *formatted_options,
        database_dir,
    ], shell=False)

Defense-in-depth approach: validates config file inputs despite trusted source, prevents regression from future refactoring.

Original prompt

Refactor the build_database function in misc/scripts/models-as-data/bulk_generate_mad.py to strengthen subprocess usage and prevent command injection vulnerabilities, as described in issue #5. Specifically:

• Explicitly set shell=False in all subprocess.check_call invocations (even if already defaulted) to make intent clear.
• Validate all user-controlled or variable inputs passed to subprocess, especially 'language' (restrict to a known set) and 'extractor_options' (ensure they are a dict or valid type, and do not contain unsafe data).
• Add comments above each subprocess call explaining the reasoning, referencing Python subprocess and OWASP security best practices. Indicate why this use is safe and what future maintainers should check.
• Add a docstring to build_database describing its security expectations and assumptions about input sources.
• Ensure all changes follow the repo's code style and are concise.

This refactor will make subprocess usage safe by default, guard against regressions, and improve auditability for future maintainers.

This pull request was created as a result of the following prompt from Copilot chat.

Refactor the build_database function in misc/scripts/models-as-data/bulk_generate_mad.py to strengthen subprocess usage and prevent command injection vulnerabilities, as described in issue #5. Specifically:

• Explicitly set shell=False in all subprocess.check_call invocations (even if already defaulted) to make intent clear.
• Validate all user-controlled or variable inputs passed to subprocess, especially 'language' (restrict to a known set) and 'extractor_options' (ensure they are a dict or valid type, and do not contain unsafe data).
• Add comments above each subprocess call explaining the reasoning, referencing Python subprocess and OWASP security best practices. Indicate why this use is safe and what future maintainers should check.
• Add a docstring to build_database describing its security expectations and assumptions about input sources.
• Ensure all changes follow the repo's code style and are concise.

This refactor will make subprocess usage safe by default, guard against regressions, and improve auditability for future maintainers.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.