Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions mount/chat_integration.py
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,15 @@
"--provider",
normalized_provider,
"--once",
"--",
message,
]

result = subprocess.run(cmd, capture_output=True, text=True, cwd=str(self.chat_path))
result = subprocess.run(
cmd,

Check failure

Code scanning / CodeQL

Uncontrolled command line Critical

This command line depends on a
user-provided value
.
input=message,
capture_output=True,
text=True,
cwd=str(self.chat_path),
)
Comment on lines +162 to +168

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dangerous-subprocess-use-audit.

You can view more details about this finding in the Semgrep AppSec Platform.


return {
"success": result.returncode == 0,
Expand Down
Loading