skills/claude-scientific-skills
1
0
Fork 0
mirror of https://github.com/K-Dense-AI/claude-scientific-skills.git synced 2026-01-26 16:58:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): replace shell=True with safe subprocess patterns in documentation

Browse Source 
## Summary
Fix command injection vulnerabilities in documentation examples by replacing
shell=True with safe list-based subprocess calls.

## Changes

### alphafold-database/SKILL.md
- Replace shell=True with list-form subprocess.run()
- Add input validation for taxonomy_id parameter
- Add security warning note with link to Python docs

### modal/references/web-endpoints.md
- Replace shell=True with list-form subprocess.Popen()
- Add security warning note

## Security
These changes prevent potential command injection if users copy these examples
with untrusted input. The new patterns follow Python security best practices.
This commit is contained in:
marovole
2026-01-08 15:05:30 +08:00
parent 9827af22ad
commit b6a6d698db
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
scientific-skills/alphafold-database/SKILL.md
View File

@@ -238,14 +238,21 @@ print(f"Found {len(results)} high-confidence human proteins")
**Download by Species:** **Download by Species:**
> ⚠️ **Security Note**: The example below uses `shell=True` for simplicity. In production environments, prefer using `subprocess.run()` with a list of arguments to prevent command injection vulnerabilities. See [Python subprocess security](https://docs.python.org/3/library/subprocess.html#security-considerations).
```python ```python
import subprocess import subprocess
import shlex
def download_proteome(taxonomy_id, output_dir="./proteomes"): def download_proteome(taxonomy_id, output_dir="./proteomes"):
"""Download all AlphaFold predictions for a species""" """Download all AlphaFold predictions for a species"""
# Validate taxonomy_id is an integer to prevent injection
if not isinstance(taxonomy_id, int):
raise ValueError("taxonomy_id must be an integer")
pattern = f"gs://public-datasets-deepmind-alphafold-v4/proteomes/proteome-tax_id-{taxonomy_id}-*_v4.tar" pattern = f"gs://public-datasets-deepmind-alphafold-v4/proteomes/proteome-tax_id-{taxonomy_id}-*_v4.tar"
cmd = f"gsutil -m cp {pattern} {output_dir}/" # Use list form instead of shell=True for security
subprocess.run(cmd, shell=True, check=True) subprocess.run(["gsutil", "-m", "cp", pattern, f"{output_dir}/"], check=True)
# Download E. coli proteome (tax ID: 83333) # Download E. coli proteome (tax ID: 83333)
download_proteome(83333) download_proteome(83333)

5
scientific-skills/modal/references/web-endpoints.md
View File

@@ -131,6 +131,8 @@ def flask_app():
For frameworks with custom network binding: For frameworks with custom network binding:
> ⚠️ **Security Note**: The example below uses `shell=True` for simplicity. In production environments, prefer using `subprocess.Popen()` with a list of arguments to prevent command injection vulnerabilities.
```python ```python
@app.function() @app.function()
@modal.concurrent(max_inputs=100) @modal.concurrent(max_inputs=100)
@@ -138,7 +140,8 @@ For frameworks with custom network binding:
def my_server(): def my_server():
import subprocess import subprocess
# Must bind to 0.0.0.0, not 127.0.0.1 # Must bind to 0.0.0.0, not 127.0.0.1
subprocess.Popen("python -m http.server -d / 8000", shell=True) # Use list form instead of shell=True for security
subprocess.Popen(["python", "-m", "http.server", "-d", "/", "8000"])
``` ```
## Streaming Responses ## Streaming Responses