Restrict invokig subprocess.run
via an internal API
#514
Labels
code quality
The code quality related tasks
Milestone
We need to manage and restrict the environment passed to the
subprocess.run
invocation by creating an internal API. We need to create an allow list for theenv
argument to prevent the subprocess from accessing sensitive data, such as GitHub tokens. We can also make sure that the dangerous argumentshell=True
is never used.The text was updated successfully, but these errors were encountered: