Skip to content

fix: sanitize shell/subprocess call in run.py#7

Merged
yskzalloc merged 1 commit into
yskzalloc:mainfrom
orbisai0security:fix-v-008-subprocess-shell-injection
May 20, 2026
Merged

fix: sanitize shell/subprocess call in run.py#7
yskzalloc merged 1 commit into
yskzalloc:mainfrom
orbisai0security:fix-v-008-subprocess-shell-injection

Conversation

@orbisai0security
Copy link
Copy Markdown
Contributor

@orbisai0security orbisai0security commented May 20, 2026

Summary

Fix high severity security issue in selftest/run.py.

Vulnerability

Field Value
ID V-008
Severity HIGH
Scanner multi_agent_ai
Rule V-008
File selftest/run.py:30
CWE CWE-78

Description: In selftest/run.py:30, subprocess.run(cmd, **kwargs) is called where cmd is passed from callers that may construct it from CLI arguments, environment variables, or configuration files. If cmd is constructed as a shell string with shell=True and includes user-controlled data, command injection is possible via shell metacharacters. The actual exploitability depends on whether shell=True is used and whether cmd incorporates unsanitized external input from callers at lines 674 and 811.

Changes

  • selftest/run.py

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-008 security vulnerability
4cf4086 
Automated security fix generated by OrbisAI Security
@yskzalloc yskzalloc merged commit 9f28264 into yskzalloc:main May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @yskzalloc