1

My original question is here : https://stackoverflow.com/questions/50164551/starting-a-process-with-a-shell-possible-injection-detected-security-issue

Didn't receive any answers there, so cross-posting it here.

I just want to know an alternative to
import commands
commands.getoutput()

the commands library.
Is there a way of doing this using something like os or subprocess?

Improve this question

3 Answers 3

Reset to default
1

commands is deprecated and should be replaced with subprocess calls. A replacement for commands.getoutput() is subprocess.Popen().communicate():

import subprocess import shlex command = shlex.split('/bin/ls -l -a -h') process = subprocess.Popen(command, stdout=subprocess.PIPE) stdout, stderr = process.communicate()

bandit will probably still throw you a low severity issue because you still use subprocess which is unsafe per se as anything invoking a shell, but this is inavoidable. See the remaining warning as a reminder on a potential insecurity in your code - depending on what you actually are calling in a shell, you have to do the checking yourself - is it a command hardcoded in a string constant, or a user input, or something variable depending on calling code? In any case, it's always advised to do the sanitization, Python has pipes module for that.

Improve this answer
5
  • I am able to use it, could please tell how to find the package version of shlex and subprocess? I'm unable to do it using pip list | grep shlex and python -c "import ushlex; print(ushlex.__version__)" Commented May 23, 2018 at 23:40
  • I want to intall them via pip install -r packages.txt Commented May 23, 2018 at 23:40
  • 1
    Both shlex (since Python 1.5.2) and subprocess (since Python 2.4) are part of Python's standard library, so you don't have to install them separately. Commented May 24, 2018 at 8:11
  • what is the purpose command = shlex.split('/bin/ls -l -a -h') does subprocess require the command to follow a particular format? Commented May 24, 2018 at 15:26
  • 1
    Yes, subprocess expects the command to be passed as a list of strings, so ls -l would be called as subprocess.Popen(['ls', '-l']). This what shlex.split does: shlex.split('ls -l') returns ['ls', '-l']. Commented May 24, 2018 at 15:40
1

The "standard" way would be subprocess, as per hoefling's answer, but some more modern ways are available if you don't mind using external libraries.

envoy has been deprecated by delegator and here's how it looks:

In [1]: import delegator In [2]: print delegator.run('pwd').out /home/vince

I installed it with:

pip install git+https://github.com/kennethreitz/[email protected]
Improve this answer
1
  • thanks. basically I am looking for an alternative to commands.getoutput() is all. Commented May 10, 2018 at 21:23
1 
import subprocess commands = subprocess

Leave rest code same, it will work as it is

Improve this answer
1
  • It does! this is great :) Commented May 28, 2023 at 13:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.