How to fix security issue in python?

Question

I have used os.system('cls' if os.name == 'nt' else 'clear') to clear the ouput while running scripts but on codacy i am getting one securiy issue

Starting a process with a shell, possible injection detected, security issue.

How to resolve the issue?

Script link: https://www.codacy.com/app/vaibhavsingh97/StalkPy/file/9458582870/issues/source?bid=5189215&fileBranchId=5189215#l43

Answer 1

From os.system

The subprocess module provides more powerful facilities for spawning new processes and retrieving their results; using that module is preferable to using this function. See the Replacing Older Functions with the subprocess Module section in the subprocess documentation for some helpful recipes.

I recommend a test with one of the subprocess passing as parameter shell=False and see if that work on codacy. subprocess.run(['clear']) worked in my local Python interpreter, you would have to test it on codacy.

If Python 2.x, you can try:

subprocess.call(['clear'])

Answer 2

It has security issues just when you run the function with arguments taken from users. For example:

import os
def do_clear(command): # Notice command is sent as argument from outside world and hence this makes it vulnerable
    os.system(command)

If the method is called with for example

do_clear('rm -f */*')

Then it is possible that it deletes all the files of current directory. But if the 'clear' command is to be directly used, you do not have to worry about the security issue, as only 'clear' is run in all conditions. So the following function is secure enough.

def do_clear(): # Notice command is not sent as argument from outside world
    os.system('cls' if os.name == 'nt' else 'clear') # This is not risky as os.system takes clear/cls command always.