Derived from the flake8-bandit linter.
What it does#
Checks for calls that start a process with a shell, providing guidance on whether the usage is safe or not.
Why is this bad?#
Starting a process with a shell can introduce security risks, such as code injection vulnerabilities. It's important to be aware of whether the usage of the shell is safe or not.
This rule triggers on functions like
popen, etc., which
start processes with a shell. It evaluates whether the provided command
is a literal string or an expression. If the command is a literal string,
it's considered safe. If the command is an expression, it's considered
subprocess module provides more powerful facilities for spawning new
processes and retrieving their results, and using that module is preferable
os.system or similar functions. Consider replacing such usages
subprocess.call or related functions.