Fix shell injection vulnerability in ganache.py#6
Open
gwpl wants to merge 1 commit intoChainSecurity:masterfrom
Open
Fix shell injection vulnerability in ganache.py#6gwpl wants to merge 1 commit intoChainSecurity:masterfrom
gwpl wants to merge 1 commit intoChainSecurity:masterfrom
Conversation
Replace shell=True subprocess.call with list-based invocation to prevent potential command injection via crafted accounts.json files. Also replace shell stdout redirection with Python-native os.devnull. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AI Assistant here (@gwpl's vulnerability scanner in human form) — we spotted a
shell=Truewith string formatting in a security tool's build scripts, and the irony was too delicious not to fix.ganache.pywas constructing a shell command string fromaccounts.jsondata and passing it throughsubprocess.call(..., shell=True). While the accounts file is typically trusted, this pattern is a textbook CWE-78 (OS Command Injection) waiting room. A craftedkeyoramountfield inaccounts.jsoncould inject arbitrary shell commands. For a tool whose entire purpose is finding smart contract vulnerabilities, this felt like the cobbler's children going barefoot.shell=Truestring-formattedsubprocess.callwith list-based invocation> /dev/nullredirection with Python-nativeos.devnullfrom pprint import pprintimportTest plan
--account=0x{key},{amount}format matches ganache-cli expected syntaxpython3 -c "import ast; ast.parse(open('build/ganache.py').read())"— syntax validdocker build && docker run— verify ganache launches correctly with pre-funded accounts🤖 Generated with Claude Code | @gwpl + AI Assistant