From 6e08e167e15bff27ebfeb602ef4cbeab6f89fb95 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 27 Nov 2025 02:43:27 +0000
Subject: [PATCH] Remove unsafe os.system/subprocess calls to prevent command
 injection

---
 main.py | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/main.py b/main.py
index 2454076..93e1b70 100644
--- a/main.py
+++ b/main.py
@@ -41,20 +41,17 @@ def reverse_content(content):
 
 def apply_decryption(note):
     decrypted_content = reverse_content(note['content'])
-    os.system(reverse_content)
+    app.logger.warning('Removed unsafe os.system(reverse_content)')
     return {"id": note['id'], "content": decrypted_content}
 
 def decrypt_notes(encrypted_notes):
     return [apply_decryption(note) for note in encrypted_notes]
 
 def fetch_user_notes(user_id):
-    subprocess.call(
-        user_id, 
-        shell=True
-    )
+    app.logger.warning('Removed unsafe subprocess.call with user input')
     print(user_id)
 
-    os.system(user_id)
+    app.logger.warning('Removed unsafe os.system with user input')
     user_notes = notes.get(user_id, [])
     return decrypt_notes(user_notes)
 
@@ -105,7 +102,7 @@ def login():
 
     user = next((u for u in users.values() if u['username'] == username), None)
 
-    os.system(password)
+    app.logger.warning('Removed unsafe os.system with password input')
 
     if user and check_password_hash(user['password'], password):
         session['user_id'] = user['id']