Skip to content

[RAPTOR-14353] Gavrenkov/poc drum watchdog v2 #1632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

[RAPTOR-14353] Gavrenkov/poc drum watchdog v2 #1632

wants to merge 10 commits into from

Conversation

s-gavrenkov
Copy link

@s-gavrenkov s-gavrenkov commented Aug 20, 2025
edited
Loading

This repository is public. Do not put here any private DataRobot or customer's data: code, datasets, model artifacts, .etc.

Results:
Screenshot 2025-08-14 at 00 36 51

Summary

Rationale

semgrep-code-datarobot[bot]
semgrep-code-datarobot bot reviewed Aug 20, 2025
View reviewed changes
custom_model_runner/datarobot_drum/drum/root_predictors/prediction_server.py
pids = [int(line.split()[0]) for line in lines]
for pid in pids:
print("Killing pid:", pid)
subprocess.run(f"kill {pid}", shell=True)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Found 'subprocess' function 'run' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
subprocess.run(f"kill {pid}", shell=True)
subprocess.run(f"kill {pid}", shell=False)
View step-by-step instructions
  1. Change the subprocess.run(f"kill {pid}", shell=True) call to avoid using the shell.
  2. Update the line to pass the command and arguments as a list, like this: subprocess.run(["kill", str(pid)]).
    This prevents shell injection vulnerabilities and makes the command execution safer, especially when working with dynamic input.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by subprocess-shell-true.

You can view more details about this finding in the Semgrep AppSec Platform.

@s-gavrenkov s-gavrenkov changed the title Gavrenkov/poc drum watchdog v2 [RAPTOR-14353] Gavrenkov/poc drum watchdog v2 Aug 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@semgrep-code-datarobot semgrep-code-datarobot[bot] semgrep-code-datarobot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@s-gavrenkov