defect: multiple execute_command_line calls pose security risks #506
Description
Found during PLAY workflow audit - security vulnerabilities in system command execution:
High-Risk System Command Calls
Found in fortplot_forensic_comparison.f90:
- Line 153:
execute_command_line("git branch --show-current > current_branch.tmp") - Line 174, 181, 197, 204: Multiple git and build commands without validation
- Direct shell command execution without input sanitization
Found in fortplot_matplotlib_io.f90:
- Line 257:
execute_command_line("sleep 0.1", wait=.true.) - Line 261:
execute_command_line("sleep 1", wait=.true.)
Found in fortplot_security.f90:
- Line 220, 662: Commands executed with minimal validation
Security Vulnerabilities
- Command Injection: No input sanitization before execution
- Path Traversal: Insufficient path validation
- Shell Escape: Direct shell access without sandboxing
- Privilege Escalation: System commands run with process privileges
Impact Assessment
- HIGH: Forensic comparison module allows arbitrary command execution
- MEDIUM: Sleep commands hardcoded but could be modified
- MEDIUM: File operations without proper validation
Affected Functionality
- Forensic rendering comparison tools
- Image display functionality
- Test security operations
- System integration features
Recommended Fixes
- Replace
execute_command_linewith secure alternatives - Implement command whitelist/validation
- Use Fortran file I/O instead of shell commands
- Sandbox system operations
- Remove forensic comparison module or secure it properly
Security Module Contradiction
The codebase has fortplot_security.f90 and fortplot_system_secure.f90 modules that provide secure alternatives, but unsafe execute_command_line calls still exist elsewhere.