Enable some more bandit checks (#30857)

* Enable B108 (hardcoded tmp dir), address findings * Enable B602 (subprocess popen with shell), address findings * Enable B604 (start process with shell), address findings * Enable B306 (mktemp), B307 (eval), and B325 (tempnam), no issues to address
2020-01-20 18:44:55 +02:00
parent 6cf20fc7fa
commit 5e2ba2eb77
21 changed files with 110 additions and 91 deletions
--- a/homeassistant/components/command_line/sensor.py
+++ b/homeassistant/components/command_line/sensor.py
@@ -168,15 +168,14 @@ class CommandSensorData:

        if rendered_args == args:
            # No template used. default behavior
-            shell = True
+            pass
        else:
            # Template used. Construct the string used in the shell
            command = str(" ".join([prog] + shlex.split(rendered_args)))
-            shell = True
        try:
            _LOGGER.debug("Running command: %s", command)
            return_value = subprocess.check_output(
-                command, shell=shell, timeout=self.timeout
+                command, shell=True, timeout=self.timeout  # nosec # shell by design
            )
            self.value = return_value.strip().decode("utf-8")
        except subprocess.CalledProcessError: