Wraps arguments to subprocess.call, subprocess.run, or subprocess.Popen with shlex.quote().
Insecure arguments (i.e. returned from function/method calls, or variables) should be escaped:
import subprocess
ret = subprocess.run(['ps', opt], shell=True)Will raise PR100 and suggest the Shell Escape. When executed the code will become:
import subprocess
from shlex import quote as shlex_quote
ret = subprocess.run(['ps', shlex_quote(opt)], shell=True)This applies to single or list arguments. One or multiple arguments meeting the criteria will be escaped in a single fix.
NB: shlex_quote is used to avoid polluting/colliding with other functions named quote