fix(#3577): remove shell=True and convert commands to argument lists to prevent command injection

guptapratykshh · guptapratykshh · commit b1913f4e7dc7 · 2026-01-15T21:11:21.000+05:30
Signed-off-by: guptapratykshh &lt;pratykshgupta9999@gmail.com&gt;
diff --git a/augur/tasks/git/util/facade_worker/facade_worker/config.py b/augur/tasks/git/util/facade_worker/facade_worker/config.py
@@ -257,15 +257,15 @@ def insert_or_update_data(self, query, **bind_args)-> None:
     def inc_repos_processed(self):
         self.repos_processed += 1
 
-    def run_git_command(self, cmd: str, timeout: int, capture_output: bool = False, operation_description: str = None) -> tuple:
+    def run_git_command(self, cmd: list, timeout: int, capture_output: bool = False, operation_description: str = None) -> tuple:
         """
         Execute a git command with timeout handling.
 
         This method provides a unified interface for running git commands with
         consistent timeout handling and error logging across all facade operations.
 
         Args:
-            cmd: The git command to execute
+            cmd: The git command to execute as a list of arguments (e.g., ["git", "clone", url])
             timeout: Timeout in seconds
             capture_output: If True, capture stdout/stderr; if False, discard them
             operation_description: Human-readable description for error logging
@@ -277,12 +277,11 @@ def run_git_command(self, cmd: str, timeout: int, capture_output: bool = False,
                    stdout_content is empty string if capture_output=False
         """
         if operation_description is None:
-            operation_description = cmd
+            operation_description = ' '.join(cmd)
 
         try:
             # Common options for all subprocess.run calls
             run_options = {
-                'shell': True,
                 'timeout': timeout,
                 'check': False
             }
diff --git a/augur/tasks/git/util/facade_worker/facade_worker/repofetch.py b/augur/tasks/git/util/facade_worker/facade_worker/repofetch.py
@@ -148,7 +148,7 @@ def git_repo_initialize(facade_helper, session, repo_git):
 
         facade_helper.log_activity('Verbose', f"Cloning: {git}")
 
-        cmd = f"git -C {repo_path} clone '{git}' {repo_name}"
+        cmd = ["git", "-C", repo_path, "clone", git, repo_name]
         return_code, _ = facade_helper.run_git_command(
             cmd,
             timeout=7200,  # 2 hours for large repos
@@ -320,7 +320,7 @@ def git_repo_updates(facade_helper, repo_git):
 
         try:
 
-            firstpull = (f"git -C {absolute_path} pull")
+            firstpull = ["git", "-C", absolute_path, "pull"]
 
             return_code_remote, _ = facade_helper.run_git_command(
                 firstpull,
@@ -340,35 +340,32 @@ def git_repo_updates(facade_helper, repo_git):
 
                 #                    session.log_activity('Verbose', f'remote default is {logremotedefault}.')
 
-                getremotedefault = (
-                    f"git -C {absolute_path} remote show origin | sed -n '/HEAD branch/s/.*: //p'")
+                getremotedefault = ["git", "-C", absolute_path, "symbolic-ref", "refs/remotes/origin/HEAD"]
 
                 return_code_remote, remotedefault = facade_helper.run_git_command(
                     getremotedefault,
-                    timeout=60,  # 1 minute for remote query
+                    timeout=60,
                     capture_output=True,
                     operation_description='get remote default branch'
                 )
+                if return_code_remote == 0 and remotedefault:
+                    remotedefault = remotedefault.split('/')[-1]
 
                 facade_helper.log_activity(
                     'Verbose', f'remote default getting checked out is: {remotedefault}.')
 
-                getremotedefault = (
-                    f"git -C {absolute_path} checkout {remotedefault}")
-
-                facade_helper.log_activity(
-                    'Verbose', f"get remote default command is: \n \n {getremotedefault} \n \n ")
+                checkout_cmd = ["git", "-C", absolute_path, "checkout", remotedefault]
 
                 return_code_remote_default_again, _ = facade_helper.run_git_command(
-                    getremotedefault,
+                    checkout_cmd,
                     timeout=600,  # 10 minutes for git checkout
                     capture_output=False,
                     operation_description=f'git checkout {remotedefault}'
                 )
 
                 if return_code_remote_default_again == 0:
                     facade_helper.log_activity('Verbose', "local checkout worked.")
-                    cmd = (f"git -C {absolute_path} pull")
+                    cmd = ["git", "-C", absolute_path, "pull"]
 
                     return_code, _ = facade_helper.run_git_command(
                         cmd,
@@ -384,7 +381,7 @@ def git_repo_updates(facade_helper, repo_git):
 
         finally:
 
-            cmd = (f"git -C {absolute_path} pull")
+            cmd = ["git", "-C", absolute_path, "pull"]
 
             return_code, _ = facade_helper.run_git_command(
                 cmd,
@@ -411,23 +408,23 @@ def git_repo_updates(facade_helper, repo_git):
 
 #                session.log_activity('Verbose', f'remote default is {logremotedefault}.')
 
-            getremotedefault = (
-                f"git -C {absolute_path} remote show origin | sed -n '/HEAD branch/s/.*: //p'")
+            getremotedefault = ["git", "-C", absolute_path, "symbolic-ref", "refs/remotes/origin/HEAD"]
 
             return_code_remote, remotedefault = facade_helper.run_git_command(
                 getremotedefault,
-                timeout=60,  # 1 minute for remote query
+                timeout=60,
                 capture_output=True,
                 operation_description='get remote default branch'
             )
+            if return_code_remote == 0 and remotedefault:
+                remotedefault = remotedefault.split('/')[-1]
 
             try:
 
-                getremotedefault = (
-                    f"git -C {absolute_path} checkout {remotedefault}")
+                checkout_cmd = ["git", "-C", absolute_path, "checkout", remotedefault]
 
                 return_code_remote_default, _ = facade_helper.run_git_command(
-                    getremotedefault,
+                    checkout_cmd,
                     timeout=600,  # 10 minutes for git checkout
                     capture_output=False,
                     operation_description=f'git checkout {remotedefault}'
@@ -436,7 +433,7 @@ def git_repo_updates(facade_helper, repo_git):
                 facade_helper.log_activity(
                     'Verbose', f'get remote default result (return code): {return_code_remote_default}')
 
-                getcurrentbranch = (f"git -C {absolute_path} branch")
+                getcurrentbranch = ["git", "-C", absolute_path, "branch"]
 
                 return_code_local, localdefault = facade_helper.run_git_command(
                     getcurrentbranch,
@@ -448,8 +445,7 @@ def git_repo_updates(facade_helper, repo_git):
                 facade_helper.log_activity(
                     'Verbose', f'remote default is: {remotedefault}, and localdefault is {localdefault}.')
 
-                cmd_checkout_default = (
-                    f"git -C {absolute_path} checkout {remotedefault}")
+                cmd_checkout_default = ["git", "-C", absolute_path, "checkout", remotedefault]
 
                 cmd_checkout_default_wait, _ = facade_helper.run_git_command(
                     cmd_checkout_default,
@@ -458,9 +454,9 @@ def git_repo_updates(facade_helper, repo_git):
                     operation_description=f'git checkout {remotedefault}'
                 )
 
-                cmdpull2 = (f"git -C {absolute_path} pull")
+                cmdpull2 = ["git", "-C", absolute_path, "pull"]
 
-                cmd_reset = (f"git -C {absolute_path} reset --hard origin/{remotedefault}")
+                cmd_reset = ["git", "-C", absolute_path, "reset", "--hard", f"origin/{remotedefault}"]
 
                 cmd_reset_wait, _ = facade_helper.run_git_command(
                     cmd_reset,
@@ -469,7 +465,7 @@ def git_repo_updates(facade_helper, repo_git):
                     operation_description=f'git reset --hard origin/{remotedefault}'
                 )
 
-                cmd_clean = (f"git -C {absolute_path} clean -df")
+                cmd_clean = ["git", "-C", absolute_path, "clean", "-df"]
 
                 return_code_clean, _ = facade_helper.run_git_command(
                     cmd_clean,
@@ -483,9 +479,7 @@ def git_repo_updates(facade_helper, repo_git):
                 facade_helper.log_activity('Verbose', f'Second pass failed: {e}.')
                 pass
 
-        cmdpull2 = (f"git -C {absolute_path} pull")
-
-        print(cmdpull2)
+        cmdpull2 = ["git", "-C", absolute_path, "pull"]
         return_code, _ = facade_helper.run_git_command(
             cmdpull2,
             timeout=600,  # 10 minutes for git pull
diff --git a/augur/tasks/git/util/facade_worker/facade_worker/utilitymethods.py b/augur/tasks/git/util/facade_worker/facade_worker/utilitymethods.py
@@ -107,7 +107,7 @@ def get_absolute_repo_path(repo_base_dir, repo_id, repo_path,repo_name):
 
 def get_parent_commits_set(absolute_repo_path, facade_helper, logger=None):
 
-	cmd = "git --git-dir %s log --ignore-missing --pretty=format:'%%H'" % (absolute_repo_path)
+	cmd = ["git", "--git-dir", absolute_repo_path, "log", "--ignore-missing", "--pretty=format:%H"]
 
 	# Use facade_helper's unified git command runner
 	return_code, stdout = facade_helper.run_git_command(
