[Security audit] Harden module installer subprocess command provenance #254

Closed
opened 2026-07-13 20:10:09 +02:00 by zemion · 1 comment
Owner

Bandit flags module-installer subprocess calls. The current calls use shell=False, so this is not immediate command injection, but command provenance is security-sensitive.

Source report: /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949/bandit.json

Observed locations:

  • src/govoplan_core/core/module_installer.py

Acceptance criteria:

  • Document which commands may be executed by the installer and where they originate.
  • Keep shell=False and argv-list execution.
  • Validate or construct argv from structured installer commands only.
  • Redact secrets in command records and logs.
  • Add tests covering rejection of unsafe operator/config-provided commands.
<!-- codex-security-audit-fingerprint:security-audit-20260713-installer-subprocess-provenance --> Bandit flags module-installer subprocess calls. The current calls use `shell=False`, so this is not immediate command injection, but command provenance is security-sensitive. Source report: `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949/bandit.json` Observed locations: - `src/govoplan_core/core/module_installer.py` Acceptance criteria: - Document which commands may be executed by the installer and where they originate. - Keep `shell=False` and argv-list execution. - Validate or construct argv from structured installer commands only. - Redact secrets in command records and logs. - Add tests covering rejection of unsafe operator/config-provided commands.
Author
Owner

Codex State: done

Summary

  • Implemented a single audited installer subprocess execution path with command provenance.

Changed Files

  • Structured install, rollback, migration, verification, and WebUI commands now carry source/provenance labels; argv/cwd are validated before execution; operator database hooks still reject shell operators, substitutions, redirects, and inline env assignment syntax.

Verification

  • py_compile for module_installer.py and test_module_system.py; git diff --check for touched files; targeted unittest set for installer dry-run, external DB backup/restore/check, rollback webui rebuild, and unsafe hook rejection (6 tests OK).

Next / Blocked

  • Local bandit is not installed in this environment; rerun the full audit battery after the rebuild to verify the scanner view.
## Codex State: done ### Summary - Implemented a single audited installer subprocess execution path with command provenance. ### Changed Files - `Structured install, rollback, migration, verification, and WebUI commands now carry source/provenance labels; argv/cwd are validated before execution; operator database hooks still reject shell operators, substitutions, redirects, and inline env assignment syntax.` ### Verification - `py_compile for module_installer.py and test_module_system.py; git diff --check for touched files; targeted unittest set for installer dry-run, external DB backup/restore/check, rollback webui rebuild, and unsafe hook rejection (6 tests OK).` ### Next / Blocked - Local bandit is not installed in this environment; rerun the full audit battery after the rebuild to verify the scanner view.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#254
No description provided.