From 153588f28b9662a005747a81733201c6e39b3e10 Mon Sep 17 00:00:00 2001
From: "Pieter De Cremer (Semgrep)" <pieter@r2c.dev>
Date: Tue, 15 Oct 2024 13:40:40 +0200
Subject: [PATCH] add sanitizer and update message of dangerous subprocess rule
 (#3487)

---
 .../audit/dangerous-subprocess-use-tainted-env-args.yaml      | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml b/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml
index 199e244057..c7b58315a8 100644
--- a/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml
+++ b/python/lang/security/audit/dangerous-subprocess-use-tainted-env-args.yaml
@@ -3,6 +3,8 @@ rules:
   mode: taint
   options:
     symbolic_propagation: true
+  pattern-sanitizers:
+    - pattern: shlex.quote(...)
   pattern-sources:
   - patterns:
     - pattern-either:
@@ -81,7 +83,7 @@ rules:
   message: >-
     Detected subprocess function '$FUNC' with user controlled data. A malicious actor
     could leverage this to perform command injection.
-    You may consider using 'shlex.escape()'.
+    You may consider using 'shlex.quote()'.
   metadata:
     owasp:
     - A01:2017 - Injection