Skip to content

fix(serve): Invoke pip without shell in xgboost install_package#5981

Open
lucasjia-aws wants to merge 1 commit into
aws:masterfrom
lucasjia-aws:fix/xgboost-inference-install-package-no-shell
Open

fix(serve): Invoke pip without shell in xgboost install_package#5981
lucasjia-aws wants to merge 1 commit into
aws:masterfrom
lucasjia-aws:fix/xgboost-inference-install-package-no-shell

Conversation

@lucasjia-aws

Copy link
Copy Markdown
Collaborator

Replace the shell-interpreted, string-built pip command in install_package() with a list-argument subprocess call using sys.executable -m pip. This removes the shell=True pattern and prevents shell metacharacter interpretation in package_name as a defense-in-depth hardening against accidental misuse.

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Replace the shell-interpreted, string-built pip command in
install_package() with a list-argument subprocess call using
sys.executable -m pip. This removes the shell=True pattern and
prevents shell metacharacter interpretation in package_name as a
defense-in-depth hardening against accidental misuse.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant