From a6b7b14f593db75125dd5efa459fba661bcec53f Mon Sep 17 00:00:00 2001
From: "r@l" <root@localhost>
Date: Tue, 24 Mar 2026 11:30:57 +0100
Subject: [PATCH] Fix shell injection vulnerability in ganache.py

Replace shell=True subprocess.call with list-based invocation to
prevent potential command injection via crafted accounts.json files.
Also replace shell stdout redirection with Python-native os.devnull.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 build/ganache.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/build/ganache.py b/build/ganache.py
index c22b723..1404381 100644
--- a/build/ganache.py
+++ b/build/ganache.py
@@ -1,9 +1,9 @@
 #!/usr/bin/python3
 
 import json
+import os
 import subprocess
 import sys
-from pprint import pprint
 
 print(sys.argv)
 if len(sys.argv) < 2:
@@ -11,10 +11,11 @@
     exit(1)
 
 # read the accounts (key, balance) and start ganache-cli with those accounts
-cmd = ""
+args = ["ganache-cli", "--allowUnlimitedContractSize", "--gasLimit", "0xfffffffffff"]
 with open(sys.argv[1]) as f:
     data = json.load(f)
     for account in data['accounts']:
-        cmd = "{} --account=\"0x{},{}\"".format(cmd, account['key'], account['amount'])
+        args.append("--account=0x{},{}".format(account['key'], account['amount']))
 
-process = subprocess.call(["ganache-cli  --allowUnlimitedContractSize --gasLimit 0xfffffffffff {} > /dev/null".format(cmd)], shell=True)
+with open(os.devnull, 'w') as devnull:
+    process = subprocess.call(args, stdout=devnull)