You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# requeue job
log.info(f'requeing job {job_id}...')
result = call(cmd, shell=True)`
From here, "Executing shell commands that incorporate unsanitized input from an untrusted source makes a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input...shell=False disables all shell based features, but does not suffer from this vulnerability"
Meaning anything that can set the SLURM_JOB_ID environment variable can perform code execution.
The documentation also describes why you might need/want shell=True, "This can be useful if you are using Python primarily for the enhanced control flow it offers over most system shells and still want convenient access to other shell features such as shell pipes, filename wildcards, environment variable expansion, and expansion of ~ to a user’s home directory."
Looking at the code above, it doesn't look like we need any of these features and we can switch to shell=False with no change in functionality while gaining the security benefits of shell=False.
The text was updated successfully, but these errors were encountered:
File: pytorch_lightning/trainer/training_io.py
Line Number: 227-233
Relevant Code:
` # find job id
job_id = os.environ['SLURM_JOB_ID']
cmd = 'scontrol requeue {}'.format(job_id)
From here, "Executing shell commands that incorporate unsanitized input from an untrusted source makes a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input...shell=False disables all shell based features, but does not suffer from this vulnerability"
Meaning anything that can set the SLURM_JOB_ID environment variable can perform code execution.
The documentation also describes why you might need/want shell=True, "This can be useful if you are using Python primarily for the enhanced control flow it offers over most system shells and still want convenient access to other shell features such as shell pipes, filename wildcards, environment variable expansion, and expansion of ~ to a user’s home directory."
Looking at the code above, it doesn't look like we need any of these features and we can switch to shell=False with no change in functionality while gaining the security benefits of shell=False.
The text was updated successfully, but these errors were encountered: