Contact Details
security-automation@local
This bug is related to UI or API?
API
What happened?
The translation CLI uses shell command strings for pybabel execution and accepts a user-controlled lang argument. This pattern can become command injection when shell metacharacters are passed.
Expected behavior:
- Execute
pybabel via argument list (no shell string execution)
- Validate
lang against a strict allowlist pattern
Patch prepared:
- Replaced shell execution with subprocess argument list
- Added language code validation before execution
Reference branch/commit:
- Branch:
codex/sec-python-rescan-20260308
- Commit:
5f0137d35
Version
newest
What browsers are you seeing the problem on?
Chrome
Relevant log output
Bandit finding before fix:
- api/commands/common.py:118 B605 HIGH/HIGH
Starting a process with a shell, possible injection detected.
Contact Details
security-automation@local
This bug is related to UI or API?
API
What happened?
The translation CLI uses shell command strings for
pybabelexecution and accepts a user-controlledlangargument. This pattern can become command injection when shell metacharacters are passed.Expected behavior:
pybabelvia argument list (no shell string execution)langagainst a strict allowlist patternPatch prepared:
Reference branch/commit:
codex/sec-python-rescan-202603085f0137d35Version
newest
What browsers are you seeing the problem on?
Chrome
Relevant log output