harden: reject shell=True in run_command (#3132)

run_command() forwarded shell= straight to subprocess.run, so a caller
passing shell=True would invoke a shell. Reject shell=True with ValueError
(keeping the parameter for signature compatibility) and drop shell= from
both subprocess.run calls.

Enable ruff S602/S604/S605 to flag any future shell=True reintroduction,
annotate the one intentional workflow shell sink with # noqa: S602, and
document the shell-step execution risk in workflows/PUBLISHING.md.
This commit is contained in:
Pascal THUET
2026-06-24 20:05:21 +02:00
committed by GitHub
parent b6b74d4ccf
commit 8e76ff3d5c
5 changed files with 58 additions and 5 deletions

15
tests/test_utils.py Normal file
View File

@@ -0,0 +1,15 @@
"""Tests for specify_cli._utils.run_command."""
from __future__ import annotations
import inspect
import pytest
from specify_cli import run_command
def test_run_command_rejects_shell_execution_compatibly():
assert inspect.signature(run_command).parameters["shell"].default is False
with pytest.raises(ValueError, match="does not support shell=True"):
run_command(["echo", "blocked"], shell=True) # noqa: S604