diff --git a/ai_agents/agents/examples/voice-assistant-nodejs/tenapp/ten_packages/extension/main_nodejs/tools/run_script.py b/ai_agents/agents/examples/voice-assistant-nodejs/tenapp/ten_packages/extension/main_nodejs/tools/run_script.py index 616bc1b093..8f108e9835 100644 --- a/ai_agents/agents/examples/voice-assistant-nodejs/tenapp/ten_packages/extension/main_nodejs/tools/run_script.py +++ b/ai_agents/agents/examples/voice-assistant-nodejs/tenapp/ten_packages/extension/main_nodejs/tools/run_script.py @@ -5,6 +5,7 @@ # See the LICENSE file for more information. # import argparse +import shlex import subprocess import sys import os @@ -15,7 +16,8 @@ def run_cmd(cmd: str, env: dict[str, str] | None = None) -> int: if env is None: env = os.environ.copy() print(f"Running: {cmd}") - result = subprocess.run(cmd, shell=True, check=True, env=env) + # Use shell=False to avoid shell injection vulnerabilities + result = subprocess.run(shlex.split(cmd), shell=False, check=True, env=env) return result.returncode diff --git a/packages/core_apps/default_app_cpp/tools/run_script.py b/packages/core_apps/default_app_cpp/tools/run_script.py index 64a329c7e6..01e135e60c 100644 --- a/packages/core_apps/default_app_cpp/tools/run_script.py +++ b/packages/core_apps/default_app_cpp/tools/run_script.py @@ -7,6 +7,7 @@ import argparse import platform +import shlex import subprocess import sys @@ -52,7 +53,8 @@ def detect_arch() -> str: def run_cmd(cmd: str) -> int: """Run a shell command.""" print(f"Running: {cmd}") - result = subprocess.run(cmd, shell=True, check=True) + # Use shell=False to avoid shell injection vulnerabilities + result = subprocess.run(shlex.split(cmd), shell=False, check=True) return result.returncode diff --git a/packages/core_extensions/default_extension_cpp/tools/run_script.py b/packages/core_extensions/default_extension_cpp/tools/run_script.py index b2a0c2783c..604838c187 100644 --- a/packages/core_extensions/default_extension_cpp/tools/run_script.py +++ b/packages/core_extensions/default_extension_cpp/tools/run_script.py @@ -6,6 +6,7 @@ # import argparse import platform +import shlex import subprocess import sys import os as os_module @@ -53,7 +54,8 @@ def run_cmd(cmd: str, env: dict[str, str] | None = None) -> int: if env is None: env = os_module.environ.copy() print(f"Running: {cmd}") - result = subprocess.run(cmd, shell=True, check=True, env=env) + # Use shell=False to avoid shell injection vulnerabilities + result = subprocess.run(shlex.split(cmd), shell=False, check=True, env=env) return result.returncode diff --git a/packages/core_extensions/default_extension_nodejs/tests/bin/start.py b/packages/core_extensions/default_extension_nodejs/tests/bin/start.py index c4ae1adfc0..bba62794ab 100644 --- a/packages/core_extensions/default_extension_nodejs/tests/bin/start.py +++ b/packages/core_extensions/default_extension_nodejs/tests/bin/start.py @@ -16,14 +16,14 @@ # npm install print("Running npm install...") -result = subprocess.run(["npm", "install"], env=env, shell=True) +result = subprocess.run(["npm", "install"], env=env) if result.returncode != 0: print("npm install failed") sys.exit(result.returncode) # npm run build print("Running npm run build...") -result = subprocess.run(["npm", "run", "build"], env=env, shell=True) +result = subprocess.run(["npm", "run", "build"], env=env) if result.returncode != 0: print("npm run build failed") sys.exit(result.returncode) @@ -51,5 +51,5 @@ # npm test print("Running npm test...") -result = subprocess.run(["npm", "test"], env=env, shell=True) +result = subprocess.run(["npm", "test"], env=env) sys.exit(result.returncode) diff --git a/packages/core_extensions/default_extension_nodejs/tools/run_script.py b/packages/core_extensions/default_extension_nodejs/tools/run_script.py index 616bc1b093..427154ffec 100644 --- a/packages/core_extensions/default_extension_nodejs/tools/run_script.py +++ b/packages/core_extensions/default_extension_nodejs/tools/run_script.py @@ -5,6 +5,7 @@ # See the LICENSE file for more information. # import argparse +import shlex import subprocess import sys import os @@ -15,7 +16,8 @@ def run_cmd(cmd: str, env: dict[str, str] | None = None) -> int: if env is None: env = os.environ.copy() print(f"Running: {cmd}") - result = subprocess.run(cmd, shell=True, check=True, env=env) + # Use shell=False with shlex.split to avoid shell injection vulnerabilities + result = subprocess.run(shlex.split(cmd), shell=False, check=True, env=env) return result.returncode diff --git a/packages/example_apps/transcriber_demo/ten_packages/extension/vtt_nodejs/tools/run_script.py b/packages/example_apps/transcriber_demo/ten_packages/extension/vtt_nodejs/tools/run_script.py index 616bc1b093..427154ffec 100644 --- a/packages/example_apps/transcriber_demo/ten_packages/extension/vtt_nodejs/tools/run_script.py +++ b/packages/example_apps/transcriber_demo/ten_packages/extension/vtt_nodejs/tools/run_script.py @@ -5,6 +5,7 @@ # See the LICENSE file for more information. # import argparse +import shlex import subprocess import sys import os @@ -15,7 +16,8 @@ def run_cmd(cmd: str, env: dict[str, str] | None = None) -> int: if env is None: env = os.environ.copy() print(f"Running: {cmd}") - result = subprocess.run(cmd, shell=True, check=True, env=env) + # Use shell=False with shlex.split to avoid shell injection vulnerabilities + result = subprocess.run(shlex.split(cmd), shell=False, check=True, env=env) return result.returncode diff --git a/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_2/default_extension_nodejs/tests/bin/start.py b/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_2/default_extension_nodejs/tests/bin/start.py index 1e4049a48d..3c07a62267 100644 --- a/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_2/default_extension_nodejs/tests/bin/start.py +++ b/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_2/default_extension_nodejs/tests/bin/start.py @@ -16,14 +16,14 @@ # npm install print("Running npm install...") -result = subprocess.run(["npm", "install"], env=env, shell=True) +result = subprocess.run(["npm", "install"], env=env) if result.returncode != 0: print("npm install failed") sys.exit(result.returncode) # npm run build print("Running npm run build...") -result = subprocess.run(["npm", "run", "build"], env=env, shell=True) +result = subprocess.run(["npm", "run", "build"], env=env) if result.returncode != 0: print("npm run build failed") sys.exit(result.returncode) @@ -50,5 +50,5 @@ # npm test print("Running npm test...") -result = subprocess.run(["npm", "test"], env=env, shell=True) +result = subprocess.run(["npm", "test"], env=env) sys.exit(result.returncode) diff --git a/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_3/default_extension_nodejs/tests/bin/start.py b/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_3/default_extension_nodejs/tests/bin/start.py index 22e4fb9b85..0c80bc6d92 100644 --- a/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_3/default_extension_nodejs/tests/bin/start.py +++ b/tests/ten_runtime/integration/nodejs/standalone_test_nodejs_3/default_extension_nodejs/tests/bin/start.py @@ -16,14 +16,14 @@ # npm install print("Running npm install...") -result = subprocess.run(["npm", "install"], env=env, shell=True) +result = subprocess.run(["npm", "install"], env=env) if result.returncode != 0: print("npm install failed") sys.exit(result.returncode) # npm run build print("Running npm run build...") -result = subprocess.run(["npm", "run", "build"], env=env, shell=True) +result = subprocess.run(["npm", "run", "build"], env=env) if result.returncode != 0: print("npm run build failed") sys.exit(result.returncode)