Skip to content

Quality: Insecure subprocess usage in get_system_info.py#1977

Open
tomaioo wants to merge 1 commit into
NVIDIA:mainfrom
tomaioo:improve/quality/insecure-subprocess-usage-in-get-system-
Open

Quality: Insecure subprocess usage in get_system_info.py#1977
tomaioo wants to merge 1 commit into
NVIDIA:mainfrom
tomaioo:improve/quality/insecure-subprocess-usage-in-get-system-

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 15, 2026

Copy link
Copy Markdown

Summary

Quality: Insecure subprocess usage in get_system_info.py

Problem

Severity: Medium | File: .github/ISSUE_TEMPLATE/get_system_info.py:L10

The script uses shell=True with subprocess.check_output for multiple commands. While the commands are hardcoded, using shell=True is a security anti-pattern and could be exploited if any command input becomes dynamic.

Solution

Replace shell=True with explicit command lists (e.g., ['nvidia-smi', '--query-gpu=...']). Use shlex.split() if complex parsing is needed.

Changes

  • .github/ISSUE_TEMPLATE/get_system_info.py (modified)

Summary by CodeRabbit

  • Bug Fixes
    • Improved system information collection by avoiding shell-based command execution.
    • Made NVIDIA GPU and CUDA version detection more reliable.
    • Improved Linux operating system detection for issue reports.

The script uses shell=True with subprocess.check_output for multiple commands. While the commands are hardcoded, using shell=True is a security anti-pattern and could be exploited if any command input becomes dynamic.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@tomaioo tomaioo requested a review from a team as a code owner July 15, 2026 00:48
@tomaioo tomaioo requested a review from kevalmorabia97 July 15, 2026 00:48
@copy-pr-bot

copy-pr-bot Bot commented Jul 15, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

System information collection now avoids shell execution for NVIDIA GPU and CUDA queries and reads Linux OS metadata directly from /etc/os-release.

Changes

System information collection

Layer / File(s) Summary
Direct system queries
.github/ISSUE_TEMPLATE/get_system_info.py
NVIDIA GPU and CUDA commands use direct argument lists, and Linux distribution information is extracted by reading /etc/os-release directly while preserving existing parsing and fallback behavior.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: kevalmorabia97

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: fixing insecure subprocess usage in get_system_info.py.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Anti-Patterns ✅ Passed The only changed Python file removes shell=True usage and adds no banned patterns, # nosec, or new dependencies.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/ISSUE_TEMPLATE/get_system_info.py:
- Around line 67-71: Update the PRETTY_NAME parsing in the system information
collection flow to use an os-release-aware parser that correctly handles both
single- and double-quoted values, rather than manually stripping only double
quotes. Preserve the existing behavior of selecting PRETTY_NAME and stopping
after it is found.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1d11b60a-029c-4a9c-aadb-dd0c5d4cad41

📥 Commits

Reviewing files that changed from the base of the PR and between f479e78 and b932d60.

📒 Files selected for processing (1)
  • .github/ISSUE_TEMPLATE/get_system_info.py

Comment on lines +67 to +71
with open("/etc/os-release", "r") as f:
for line in f:
if line.startswith("PRETTY_NAME="):
os_info = line.split("=", 1)[1].strip().strip('"')
break

@coderabbitai coderabbitai Bot Jul 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,140p' .github/ISSUE_TEMPLATE/get_system_info.py

Repository: NVIDIA/Model-Optimizer

Length of output: 3724


🌐 Web query:

os-release PRETTY_NAME single quotes double quotes systemd man page

💡 Result:

According to the os-release manual page, variable assignment values must be enclosed in either double or single quotes if they contain spaces, semicolons, or any special characters outside of the range A–Z, a–z, and 0–9 [1][2]. If the value does not include these special characters, the use of quotes is optional but still permitted [1][3]. When using quotes, shell special characters (such as $, quotes, backslashes, or backticks) must be escaped with backslashes following standard shell style [1][2]. Concatenation of multiple individually quoted strings is not supported [1][2]. Because PRETTY_NAME typically includes spaces (e.g., "Fedora 32 (Workstation Edition)"), it is essentially always quoted in practice [1][4]. The specification ensures the file remains compatible with Bourne shell scripts by using environment-like variable assignments, although full shell evaluation is not supported (e.g., variable expansion is explicitly disallowed) [1][5].

Citations:


Parse PRETTY_NAME using os-release quoting rules.

/etc/os-release allows single- or double-quoted values, but this only strips double quotes. A single-quoted PRETTY_NAME will show up in the issue output with literal quotes. Use an os-release-aware parser instead of trimming one quote character.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/ISSUE_TEMPLATE/get_system_info.py around lines 67 - 71, Update the
PRETTY_NAME parsing in the system information collection flow to use an
os-release-aware parser that correctly handles both single- and double-quoted
values, rather than manually stripping only double quotes. Preserve the existing
behavior of selecting PRETTY_NAME and stopping after it is found.

Source: MCP tools

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you address this as well?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevalmorabia97 Sure, here's the fix to handle both single- and double-quoted PRETTY_NAME values per the os-release spec:

  • Update the PRETTY_NAME parsing logic in .github/ISSUE_TEMPLATE/get_system_info.py to strip matching single or double quotes instead of only double quotes.

</plan_code_changes]


Failed to handle agent chat message. Please try again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants