mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-04-07 11:38:16 +00:00
9acb327d9f
* fix: replace os.system with subprocess.run in unsafe mode pip install Eliminates shell injection risk (A05) where a malicious library name like "pkg; rm -rf /" could execute arbitrary host commands. Using list-form subprocess.run with shell=False ensures the library name is always treated as a single argument with no shell metacharacter expansion. Adds two tests: one verifying list-form invocation, one verifying that shell metacharacters in a library name cannot trigger shell execution. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: use sys.executable -m pip to satisfy S607 linting rule S607 flags partial executable paths like ["pip", ...]. Using [sys.executable, "-m", "pip", ...] provides an absolute path and also ensures installation targets the correct Python environment. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Greyson LaLonde <greyson.r.lalonde@gmail.com>