From 19f66ddb11326d0155bbe9639d7dc28c2addc160 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Thu, 9 Jan 2025 03:41:27 +0000
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20(CodeQL)=20Fixed=20finding:=20"Unco?=
 =?UTF-8?q?ntrolled=20command=20line"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 introduction/mitre.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/introduction/mitre.py b/introduction/mitre.py
index c899c21..918ed07 100644
--- a/introduction/mitre.py
+++ b/introduction/mitre.py
@@ -230,7 +230,7 @@ def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
 
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
     
 
@@ -238,10 +238,10 @@ def command_out(command):
 def mitre_lab_17_api(request):
     if request.method == "POST":
         ip = request.POST.get('ip')
-        command = "nmap " + ip 
+        command = ["nmap", ip]
         res, err = command_out(command)
         res = res.decode()
         err = err.decode()
         pattern = "STATE SERVICE.*\\n\\n"
         ports = re.findall(pattern, res,re.DOTALL)[0][14:-2].split('\n')
-        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
\ No newline at end of file
+        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})