fix: replace create_subprocess_shell (#3265)

deacon-mp · claude · web-flow · commit d748c6b40f21 · 2026-03-15T21:31:59.000-04:00
* fix: replace create_subprocess_shell with safe exec in start_vue_dev_server

Avoid shell injection risk by using create_subprocess_exec instead.

* fix: address Copilot review feedback on subprocess PR

- Capture proc from create_subprocess_exec, log PID, schedule proc.wait()
  to avoid zombie processes on Vue dev server exit
- Rewrite test to use pytest style, ast-based function extraction,
  and Path-relative server.py resolution

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* test: guard against None return from ast.get_source_segment

ast.get_source_segment() returns None when source offsets are
unavailable; assert it is not None before using it in string checks.

* fix: remove untracked create_task in start_vue_dev_server to avoid zombie subprocess

* test: accept FunctionDef and AsyncFunctionDef in start_vue_dev_server check

* test: use explicit utf-8 encoding in read_text()

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/server.py b/server.py
@@ -156,10 +156,10 @@ async def enable_cors(request, response):
 
 
 async def start_vue_dev_server():
-    await asyncio.create_subprocess_shell(
-        "npm run dev", stdout=sys.stdout, stderr=sys.stderr, cwd=MAGMA_PATH
+    proc = await asyncio.create_subprocess_exec(
+        "npm", "run", "dev", stdout=sys.stdout, stderr=sys.stderr, cwd=MAGMA_PATH
     )
-    logging.info("VueJS development server is live.")
+    logging.info("VueJS development server started (PID %s).", proc.pid)
 
 
 def _get_parser():
diff --git a/tests/security/test_subprocess_exec.py b/tests/security/test_subprocess_exec.py
@@ -0,0 +1,21 @@
+import ast
+from pathlib import Path
+
+
+SERVER_PY = Path(__file__).resolve().parents[2] / 'server.py'
+
+
+def test_no_create_subprocess_shell_in_start_vue():
+    """Verify create_subprocess_shell is not used in start_vue_dev_server."""
+    content = SERVER_PY.read_text(encoding='utf-8')
+    tree = ast.parse(content, filename=str(SERVER_PY))
+    func_node = None
+    for node in ast.walk(tree):
+        if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)) and node.name == 'start_vue_dev_server':
+            func_node = node
+            break
+    assert func_node is not None, "start_vue_dev_server function not found in server.py"
+    func_content = ast.get_source_segment(content, func_node)
+    assert func_content is not None, "Could not extract source for start_vue_dev_server"
+    assert 'create_subprocess_shell' not in func_content
+    assert 'create_subprocess_exec' in func_content
