Use of shell=True could lead to shell injection

[bkhakshoor]

File: pytorch_lightning/trainer/training_io.py
Line Number: 227-233
Relevant Code:

` # find job id
job_id = os.environ['SLURM_JOB_ID']
cmd = 'scontrol requeue {}'.format(job_id)

        # requeue job
        log.info(f'requeing job {job_id}...')
        result = call(cmd, shell=True)`

From here, "Executing shell commands that incorporate unsanitized input from an untrusted source makes a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input...shell=False disables all shell based features, but does not suffer from this vulnerability"

Meaning anything that can set the SLURM_JOB_ID environment variable can perform code execution.

The documentation also describes why you might need/want shell=True, "This can be useful if you are using Python primarily for the enhanced control flow it offers over most system shells and still want convenient access to other shell features such as shell pipes, filename wildcards, environment variable expansion, and expansion of ~ to a user’s home directory."

Looking at the code above, it doesn't look like we need any of these features and we can switch to shell=False with no change in functionality while gaining the security benefits of shell=False.

[github-actions]

Hi! thanks for your contribution!, great first issue!

[ananyahjha93]

@bkhakshoor would you mind submitting a PR for it with the fix?