Skip to content

SECURITY: Command injection vulnerabilities in system() calls across 10 Fortran files #781

New issue
New issue
Closed as not planned
Closed as not planned
SECURITY: Command injection vulnerabilities in system() calls across 10 Fortran files#781
Labels
duplicateThis issue or pull request already exists
@krystophny

Description

@krystophny
krystophny
opened on Aug 30, 2025

PROBLEM: 10 Fortran files use system() calls, creating potential command injection vulnerabilities.

EVIDENCE:

  • Grep results show system() calls in:
    • /home/ert/code/fortplot/test/test_scatter_enhanced.f90
    • /home/ert/code/fortplot/src/figures/fortplot_figure_core.f90
    • /home/ert/code/fortplot/src/fortplot_figure_core_io.f90
    • And 7 other files
  • CLAUDE.md security rules prohibit system() for security risks

IMPACT:

  • Command injection attacks possible if user input reaches system() calls
  • Security vulnerability in production environments
  • Violates secure coding practices

SOLUTION:

  1. Replace system() calls with secure alternatives
  2. Use established secure libraries only
  3. Validate and sanitize all inputs to external commands
  4. Implement proper error handling for command execution

SEVERITY: HIGH - Security vulnerability requiring immediate attention

Metadata

Metadata

Assignees

No one assigned

    Labels

    duplicateThis issue or pull request already exists

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions