[Security] Harden release-doctor shell command execution #238

Closed
opened 2026-07-11 12:51:03 +02:00 by zemion · 1 comment
Owner

Semgrep flags shell-based helper execution in the release doctor. The current code is operator-confirmed, but it should still use structured argv where possible.

Classification: lower-priority security hardening.

Report evidence:

  • govoplan-core/scripts/release-doctor.py:895 user-confirmed suggested command execution.
  • govoplan-core/scripts/release-doctor.py:929 generated safe.directory command execution.
  • govoplan-core/scripts/release-doctor.py:1001 user-configured pager execution.
  • Semgrep: subprocess-shell-true, dangerous-subprocess-use-tainted-env-args.

Suggested next steps:

  • Represent suggested commands as argv arrays instead of shell strings.
  • Use shlex.split only for intentionally operator-entered commands and keep explicit confirmations.
  • Use subprocess.run([pager, ...]) or a narrow pager allowlist.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:core-release-doctor-shell --> Semgrep flags shell-based helper execution in the release doctor. The current code is operator-confirmed, but it should still use structured argv where possible. Classification: **lower-priority security hardening**. Report evidence: - `govoplan-core/scripts/release-doctor.py:895` user-confirmed suggested command execution. - `govoplan-core/scripts/release-doctor.py:929` generated safe.directory command execution. - `govoplan-core/scripts/release-doctor.py:1001` user-configured pager execution. - Semgrep: `subprocess-shell-true`, `dangerous-subprocess-use-tainted-env-args`. Suggested next steps: - Represent suggested commands as argv arrays instead of shell strings. - Use `shlex.split` only for intentionally operator-entered commands and keep explicit confirmations. - Use `subprocess.run([pager, ...])` or a narrow pager allowlist. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
debt
status
ready
priority
p2
module/core
codex/ready
labels 2026-07-11 12:51:03 +02:00
zemion added the
area/security
audit/structural
source/security-audit
labels 2026-07-11 16:03:40 +02:00
Author
Owner

Codex State: done

Summary

  • release-doctor.py moved with the scripts into the meta repository.
  • The active shell/URL trust-boundary finding is now tracked in add-ideas/govoplan#1.
  • govoplan-core only has release-doctor tests left, not the tool implementation.

Closing this core issue as superseded by the meta-owned issue.

## Codex State: done ### Summary - `release-doctor.py` moved with the scripts into the meta repository. - The active shell/URL trust-boundary finding is now tracked in `add-ideas/govoplan#1`. - `govoplan-core` only has release-doctor tests left, not the tool implementation. Closing this core issue as superseded by the meta-owned issue.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#238
No description provided.