diff --git a/monkey/infection_monkey/dropper.py b/monkey/infection_monkey/dropper.py index 3d34688ef..3b7bba818 100644 --- a/monkey/infection_monkey/dropper.py +++ b/monkey/infection_monkey/dropper.py @@ -4,6 +4,7 @@ import filecmp import logging import os import pprint +import shlex import shutil import subprocess import sys @@ -164,9 +165,10 @@ class MonkeyDrops(object): "monkey_commandline": inner_monkey_cmdline, } + monkey_cmdline_split = shlex.split(monkey_cmdline) + monkey_process = subprocess.Popen( - monkey_cmdline, - shell=True, + monkey_cmdline_split, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, diff --git a/monkey/infection_monkey/system_info/windows_info_collector.py b/monkey/infection_monkey/system_info/windows_info_collector.py index f978a9942..cc46aae93 100644 --- a/monkey/infection_monkey/system_info/windows_info_collector.py +++ b/monkey/infection_monkey/system_info/windows_info_collector.py @@ -1,4 +1,5 @@ import logging +import shlex import subprocess import sys @@ -51,10 +52,10 @@ class WindowsInfoCollector(InfoCollector): def get_installed_packages(self): LOG.info("Getting installed packages") - packages = subprocess.check_output("dism /online /get-packages", shell=True) + packages = subprocess.check_output(shlex.split("dism /online /get-packages")) self.info["installed_packages"] = packages.decode("utf-8", errors="ignore") - features = subprocess.check_output("dism /online /get-features", shell=True) + features = subprocess.check_output(shlex.split("dism /online /get-features")) self.info["installed_features"] = features.decode("utf-8", errors="ignore") LOG.debug("Got installed packages") diff --git a/monkey/infection_monkey/utils/windows/users.py b/monkey/infection_monkey/utils/windows/users.py index d27b74547..06e626783 100644 --- a/monkey/infection_monkey/utils/windows/users.py +++ b/monkey/infection_monkey/utils/windows/users.py @@ -39,7 +39,7 @@ class AutoNewWindowsUser(AutoNewUser): windows_cmds = get_windows_commands_to_add_user(self.username, self.password, True) logger.debug("Trying to add {} with commands {}".format(self.username, str(windows_cmds))) - _ = subprocess.check_output(windows_cmds, stderr=subprocess.STDOUT, shell=True) + _ = subprocess.check_output(windows_cmds, stderr=subprocess.STDOUT) def __enter__(self): # Importing these only on windows, as they won't exist on linux. @@ -127,9 +127,7 @@ class AutoNewWindowsUser(AutoNewUser): self.username, str(commands_to_deactivate_user) ) ) - _ = subprocess.check_output( - commands_to_deactivate_user, stderr=subprocess.STDOUT, shell=True - ) + _ = subprocess.check_output(commands_to_deactivate_user, stderr=subprocess.STDOUT) except Exception as err: raise NewUserError("Can't deactivate user {}. Info: {}".format(self.username, err)) @@ -141,8 +139,6 @@ class AutoNewWindowsUser(AutoNewUser): self.username, str(commands_to_delete_user) ) ) - _ = subprocess.check_output( - commands_to_delete_user, stderr=subprocess.STDOUT, shell=True - ) + _ = subprocess.check_output(commands_to_delete_user, stderr=subprocess.STDOUT) except Exception as err: raise NewUserError("Can't delete user {}. Info: {}".format(self.username, err)) diff --git a/monkey/infection_monkey/windows_upgrader.py b/monkey/infection_monkey/windows_upgrader.py index cea71a326..8739ae556 100644 --- a/monkey/infection_monkey/windows_upgrader.py +++ b/monkey/infection_monkey/windows_upgrader.py @@ -1,4 +1,5 @@ import logging +import shlex import shutil import subprocess import sys @@ -50,9 +51,10 @@ class WindowsUpgrader(object): + monkey_options ) + monkey_cmdline_split = shlex.split(monkey_cmdline) + monkey_process = subprocess.Popen( - monkey_cmdline, - shell=True, + monkey_cmdline_split, stdin=None, stdout=None, stderr=None,