我的 Python 脚本必须运行只能通过控制台获得的二进制文件,所以我使用subprocess.run它,它看起来像这样:
CMD = [
"C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe",
"/gd",
f"[{ARGS.projectName}]\\{ARGS.groupName}",
f"/collection:{ARGS.organization}",
]
DELETE_OUTPUT = subprocess.run(
CMD, check=True, stdout=subprocess.PIPE, shell=True
).stdout.decode("utf-8")
print(f"[DEBUG] DELETE_OUTPUT: {DELETE_OUTPUT}")
它工作正常,但Bandit报告了一些问题:
[B404:blacklist] Consider possible security implications associated with subprocess module.
[B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue
有没有办法以更安全的方式运行 CLI 来让 Bandit 开心?