Security: Replace shell=True and concatenated commands with safe subprocess calls #1136
Description
Summary
Several Python scripts/tests invoke commands with shell=True and string concatenation, enabling command injection if inputs are ever influenced by untrusted data.
Details
- Files:
- pyAlbany/examples/paper/MC_example_no_interface.py
- tests/landIce/FO_Thermo/hessian_comparison.py
- tests/landIce/CismAlbany/runtestT.py
- tools/albany-test-harness
- Patterns:
subprocess.call(self.AlbanyEXE + ' ' + self.YAMLFILE, shell=True)
Popen(command, shell=True, ...) - CWE: CWE-78
Remediation
- Avoid shell=True; pass argv lists, e.g., subprocess.run([exe, arg], check=True)
- If shell is required, sanitize/escape all inputs strictly and document constraints.
Testing
- Add tests to ensure proper execution with spaces in paths and that shell metacharacters are not interpreted.