Merge pull request #8875 from Smartappli/Security-Issue-Fix

CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
OpenMined · Jun 1, 2024 · 0f6f105 · 0f6f105
2 parents 7953126 + ea7e8e2
commit 0f6f105
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/packages/syft/src/syft/node/node.py b/packages/syft/src/syft/node/node.py
@@ -11,6 +11,7 @@
 from pathlib import Path
 import shutil
 import subprocess # nosec
+import sys
 import tempfile
 from time import sleep
 import traceback
@@ -221,10 +222,17 @@ def in_kubernetes() -> bool:
 
 
 def get_venv_packages() -> str:
- res = subprocess.getoutput(
- "pip list --format=freeze",
- )
- return res
+ try:
+ # subprocess call is safe because it uses a fully qualified path and fixed arguments
+ result = subprocess.run(
+ [sys.executable, "-m", "pip", "list", "--format=freeze"], # nosec
+ capture_output=True,
+ check=True,
+ text=True,
+ )
+ return result.stdout
+ except subprocess.CalledProcessError as e:
+ return f"An error occurred: {e.stderr}"
 
 
 def get_syft_worker() -> bool: