Skip to content

fix: use subprocess instead of os.system in launch.py#31

Open
orbisai0security wants to merge 1 commit into
facebookresearch:mainfrom
orbisai0security:fix-v001-os-system-shell-injection
Open

fix: use subprocess instead of os.system in launch.py#31
orbisai0security wants to merge 1 commit into
facebookresearch:mainfrom
orbisai0security:fix-v001-os-system-shell-injection

Conversation

@orbisai0security

Copy link
Copy Markdown

Summary

Fix critical severity security issue in launch.py.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File launch.py:169

Description: The launch.py script uses os.system() with f-string interpolation to execute shell commands, directly embedding the tmp_dir and cmd variables without any sanitization. The os.system() function passes the string to the system shell for interpretation, meaning any shell metacharacters in the interpolated variables will be executed. Additionally, subprocess.check_output with shell=True at line 88 presents a similar risk.

Changes

  • launch.py

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

Automated security fix generated by OrbisAI Security
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Meta Open Source bot. label May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant