In joystick/consumers/fedora_messaging_consumer.py, line 21, subprocess.Popen is being called with shell=True, without any obvious reason as to why.
joystick/consumers/fedora_messaging_consumer.py
subprocess.Popen
shell=True
Note that bandit (static code analysis required to be run by the Fedora Infra Application Security Policy would have caught this with High confidence and High severity.
Fixed in https://pagure.io/joystick/c/0ac81d6088c6179ccde7f7462e0724e79494389f?branch=master
Metadata Update from @puiterwijk: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.