shivasurya/code-pathfinder

high subprocess with shell=True

scripts/gen_go_modules.py:104

subprocess called with shell=True. This is vulnerable to shell injection.

Code

scripts/gen_go_modules.py

101
102def run_go_mod_tidy(directory: Path) -> bool:
103    """Run 'go mod tidy' and return True on success."""
104    result = subprocess.run(
105        ["go", "mod", "tidy"],
106        cwd=directory,
107        capture_output=True,

Dataflow

Source: scripts/gen_go_modules.py:104
Sink: scripts/gen_go_modules.py:104 subprocess.run( ["go", "mod", "tidy"], cwd=directory, capture_output=True, text=True, timeout=120, )

Seen on 10 scans

7a21c89 line 104 2026-05-23
7a21c89 line 104 2026-05-23
a7e137f line 104 2026-05-22
8a39ca7 line 104 2026-05-22
181f52c line 104 2026-05-22
91c7b3d line 104· PR #693 2026-05-22
00a5753 line 104 2026-05-22
490d33f line 104· PR #693 2026-05-22
9e00502 line 104 2026-05-22
1faca6c line 104 2026-05-21

Get this for your repo.

Pathfinder runs the same scan on your own repos free. Connect via GitHub in 30 seconds.

Get started View the open-source rules →