Calling subprocess.call, subprocess.run, or subprocess.Popen with shell=True can leave the host shell open to local code execution or remote code execution attacks.
import subprocess
ret = subprocess.call(['ps', opt], shell=True)import subprocess
ret = subprocess.run(['ps', opt], shell=True)import subprocess
ret = subprocess.Popen(['ps', opt], shell=True)- String literals are ok
- Lists of string literals are ok
- Call expressions or reference expressions are treated as "unsafe" unless escaped
Only use shell=True if absolutely required, then use shlex.quote surrounding any input, e.g.
import subprocess
import shlex
ret = subprocess.call(['ps', shlex.quote(opt)], shell=True)