Skip to content

fix: prevent command injection in AIS datastore downloads #15151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ArnePannemans wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: prevent command injection in AIS datastore downloads #15151

ArnePannemans wants to merge 3 commits into from

Conversation

@ArnePannemans
Copy link

@ArnePannemans ArnePannemans commented Dec 5, 2025

Replace shell=True subprocess.Popen with list-based arguments to prevent user-controlled datastore paths from injecting OS commands (CWE-78).

Important

The Update branch button must only be pressed in very rare occassions.
An outdated branch is never blocking the merge of a PR.
Please reach out to the automation team before pressing that button.

What does this PR do ?

Hardens AIS datastore downloads by invoking the ais get binary without a shell so user-controlled datastore paths cannot inject additional commands.

Collection: Core utilities

Changelog

  • Replace subprocess.Popen(..., shell=True) in nemo/utils/data_utils.py::open_datastore_object_with_binary with a list-based argument invocation so shell=False is used and datastore paths are treated as opaque arguments
  • This removes the CWE-78 OS command injection risk

No other behavioral changes; AIS downloads still stream through stdout in bytes mode.

Usage

No user-facing usage changes.

GitHub Actions CI

The Jenkins CI system has been replaced by GitHub Actions self-hosted runners.

The GitHub Actions CI will run automatically when the "Run CICD" label is added to the PR.
To re-run CI remove and add the label again.
To run CI on an untrusted fork, a NeMo user with write access must first click "Approve and run".

Before your PR is "Ready for review"

Pre checks:

  • [ x] Make sure you read and followed Contributor guidelines
  • Did you write any new necessary tests? (Not required; security fix covered by existing behavior)
  • Did you add or update any necessary documentation? (Not applicable)
  • Does the PR affect components that are optional to install? (No impact)
    • Reviewer: Does the PR have correct import guards for all optional libraries?

PR Type:

  • New Feature
  • Bugfix
  • Documentation

If you haven't finished some of the above items you can still open "Draft" PR.

Who can review?

Anyone in the community is free to review the PR once the checks have passed.
Contributor guidelines contains specific people who can review PRs to various areas.

Additional Information

  • Related to # (issue)

Arne Pannemans and others added 3 commits December 5, 2025 11:18
fix: prevent command injection in AIS datastore downloads
70074b7 
Replace shell=True subprocess.Popen with list-based arguments to prevent
user-controlled datastore paths from injecting OS commands (CWE-78).

Signed-off-by: Arne Pannemans <[email protected]>
@ArnePannemans
Apply isort and black reformatting
d92250c 
Signed-off-by: ArnePannemans <[email protected]>
@ArnePannemans
Merge branch 'main' into fix/subprocess-shell-injection
92614c9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ArnePannemans