From e2c9853bbe057d6b1cfc31c53e8b55e2925e7f6a Mon Sep 17 00:00:00 2001
From: Ganesh Patil <7030871503ganeshpatil@gmail.com>
Date: Wed, 18 Feb 2026 16:22:10 +0530
Subject: [PATCH] security: remove shell=True from /contribute endpoint to
 prevent command injection (fixes #360)

---
 fri/server/main.py | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/fri/server/main.py b/fri/server/main.py
index c2e1e659..ddc33c4f 100644
--- a/fri/server/main.py
+++ b/fri/server/main.py
@@ -396,16 +396,18 @@ def contribute():
         validate_text_field(PR_TITLE, 'title', max_length=512)
         validate_text_field(PR_BODY, 'desc', max_length=8192)
         
+        # Build base command depending on platform
         if(platform.uname()[0]=='Windows'):
-            # Use cmd.exe /c to invoke contribute.bat on Windows
-            proc = subprocess.run(["cmd.exe", "/c", "contribute.bat", STUDY_NAME, STUDY_NAME_PATH, AUTHOR_NAME, BRANCH_NAME, PR_TITLE, PR_BODY], cwd=concore_path, check=True, capture_output=True, text=True)
-            output_string = proc.stdout
+            cmd = ["cmd.exe", "/c", "contribute.bat", STUDY_NAME, STUDY_NAME_PATH, AUTHOR_NAME]
         else:
-            if len(BRANCH_NAME)==0:
-                proc = check_output([r"./contribute",STUDY_NAME,STUDY_NAME_PATH,AUTHOR_NAME],cwd=concore_path)
-            else:
-                proc = check_output([r"./contribute",STUDY_NAME,STUDY_NAME_PATH,AUTHOR_NAME,BRANCH_NAME,PR_TITLE,PR_BODY],cwd=concore_path)
-            output_string = proc.decode()
+            cmd = [r"./contribute", STUDY_NAME, STUDY_NAME_PATH, AUTHOR_NAME]
+
+        # Append optional branch/PR args only when BRANCH_NAME is provided
+        if len(BRANCH_NAME) > 0:
+            cmd.extend([BRANCH_NAME, PR_TITLE, PR_BODY])
+
+        proc = subprocess.run(cmd, cwd=concore_path, check=True, capture_output=True, text=True)
+        output_string = proc.stdout
         status=200
         if output_string.find("/pulls/")!=-1:
             status=200