Problem
In misc/scripts/models-as-data/bulk_generate_mad.py, the function build_database uses subprocess.check_call to invoke the codeql database create command with user-controlled or variable data (such as language and extractor_options). The shell parameter is not explicitly set to False, and while the arguments are passed as a list, this could still pose a risk if any input is not properly sanitized, especially if the code is refactored in the future to use shell=True or accepts less-trusted input sources.
Impact
- If untrusted input reaches
subprocess calls, it can result in command injection vulnerabilities.
- Even though the current usage appears safe (since a list is passed), the lack of explicit documentation or safeguards could lead to regressions.
- The use of user-configurable options (
extractor_options, etc.) should be validated to avoid accidental injection if any refactoring occurs.
References:
Problem
In
misc/scripts/models-as-data/bulk_generate_mad.py, the functionbuild_databaseusessubprocess.check_callto invoke thecodeql database createcommand with user-controlled or variable data (such aslanguageandextractor_options). Theshellparameter is not explicitly set toFalse, and while the arguments are passed as a list, this could still pose a risk if any input is not properly sanitized, especially if the code is refactored in the future to useshell=Trueor accepts less-trusted input sources.Impact
subprocesscalls, it can result in command injection vulnerabilities.extractor_options, etc.) should be validated to avoid accidental injection if any refactoring occurs.References: