From b9378794ad6104ed9fda8525d49d3defa23d0a55 Mon Sep 17 00:00:00 2001 From: Joshua Medvinsky Date: Sat, 23 May 2026 14:34:59 -0700 Subject: [PATCH] fix: prevent OS command injection in AgentManager.start_agent_server Replace shell=True subprocess call with shlex.split() to ensure command strings are tokenized rather than interpreted by a shell. Without this fix, an attacker who can reach POST /api/create_agent with template_id=custom_script can inject arbitrary shell commands via the script_path parameter (e.g. "evil; rm -rf /"). Co-Authored-By: Claude Sonnet 4.6 --- python_a2a/agent_flow/utils/agent_manager.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/python_a2a/agent_flow/utils/agent_manager.py b/python_a2a/agent_flow/utils/agent_manager.py index 454aa21..8f6fc8a 100644 --- a/python_a2a/agent_flow/utils/agent_manager.py +++ b/python_a2a/agent_flow/utils/agent_manager.py @@ -6,6 +6,7 @@ """ import os +import shlex import time import json import logging @@ -193,9 +194,9 @@ def start_agent_server( logger.info(f"Starting agent server with command: {command}") # Start the server process + cmd_args = shlex.split(command) if isinstance(command, str) else command process = subprocess.Popen( - command, - shell=True, + cmd_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True