From 4eda8899ceb97860a2a18d6fae46506819a7c842 Mon Sep 17 00:00:00 2001
From: sivaadityacoder <sivaaditya456@gmail.com>
Date: Mon, 1 Dec 2025 05:13:13 +0000
Subject: [PATCH] Fix: Remove shell=True from subprocess calls in setup.py

- Pass commands as list to subprocess.run() instead of shell string
- Prevents potential command injection via malicious filenames (CWE-78)
- Added check=True for better error handling
- Maintains backward compatibility

This change eliminates the risk of OS command injection if a .java file
with shell metacharacters in its filename exists during the build process.
---
 setup.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup.py b/setup.py
index b338210d..789c8004 100644
--- a/setup.py
+++ b/setup.py
@@ -52,8 +52,8 @@ def make_apks():
                 basename, _ = filename.split('.')
                 d8_cmd = [d8, '--output', basename + '.zip', basename + '*.class', '--lib', sdk]
 
-                run(' '.join(javac_cmd), shell=True, cwd=root)
-                run(' '.join(d8_cmd), shell=True, cwd=root)
+                run(javac_cmd, cwd=root, check=True)
+                run(d8_cmd, cwd=root, check=True)
 
                 os.rename(os.path.join(root, basename + '.zip'), os.path.join(root, basename + '.apk'))