tests: avoid shell=True in interactive CLI helper

[kuishou68]

Summary

tests/sherlock_interactives.py currently builds a shell command with string interpolation and executes it with subprocess.check_output(..., shell=True).

command = f"sherlock {args}"
proc_out = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT)

Why this is a problem

• it makes the test helper depend on shell parsing instead of argument parsing
• quoting behavior becomes platform-sensitive
• future tests that pass characters such as quotes, semicolons, or shell metacharacters can behave unexpectedly
• the helper is harder to reason about than a direct argv-based subprocess call

Even though this is test code, the helper is meant to model CLI usage, so it is better if it invokes the CLI directly without going through a shell.

Proposed fix

Refactor the helper to:

• build an argv list instead of a shell string
• invoke the module with sys.executable -m sherlock_project ...
• keep stderr capture and existing error handling behavior intact

[kuishou68]

I can take this one. I’ll replace the shell-built command with an argv-based subprocess call, keep the helper behavior the same from the tests’ point of view, and review the change for quoting and cross-platform side effects.

[kuishou68]

Opened PR #2865 for this. The fix removes shell-based command construction from the interactive CLI helper and keeps the helper behavior focused on argv-based subprocess execution.

[malak749]

Thank you for the update. I see that PR #2865 has been opened to address the shell usage in the interactive CLI helper. I will take a look at the changes to ensure the argv-based execution and quoting behavior work as expected across different platforms.

…

On Fri, Apr 3, 2026, 1:44 PM Cocoon-Break ***@***.***> wrote: *kuishou68* left a comment (sherlock-project/sherlock#2864) <#2864 (comment)> Opened PR #2865 <#2865> for this. The fix removes shell-based command construction from the interactive CLI helper and keeps the helper behavior focused on argv-based subprocess execution. — Reply to this email directly, view it on GitHub <#2864?email_source=notifications&email_token=B7BABNGF2QBI64AKVCKQAUT4T6W4XA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJYGMZTGMBSG422M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4183330275>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/B7BABNF37XL63XYI3P5AHLL4T6W4XAVCNFSM6AAAAACXLYURDCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCOBTGMZTAMRXGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>