fix: use subprocess instead of os.system in resume.py

[orbisai0security]

Summary

Fix critical severity security issue in utils/aws/resume.py.

Vulnerability

Field	Value
ID	V-001
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-001
File	utils/aws/resume.py:43
CWE	CWE-78

Description: The utils/aws/resume.py file executes shell commands using os.system(cmd) without input validation. The 'cmd' variable is constructed from user-controllable inputs, allowing arbitrary command injection through shell metacharacters.

Changes

• utils/aws/resume.py

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

🔧 This PR updates utils/aws/resume.py to use subprocess.Popen() instead of os.system() when relaunching resumed training jobs.

📊 Key Changes

• Replaces import os with import subprocess.
• Converts shell command construction from string-based commands to argument lists for both single-GPU and DDP resume flows.
• Replaces os.system(cmd) with subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL).
• Preserves background execution behavior while explicitly redirecting output to /dev/null equivalents.
• Updates printed command output to use " ".join(cmd) for readable logging.

🎯 Purpose & Impact

• Improves process launching safety by avoiding shell-based command execution.
• Reduces risk of quoting and shell interpretation issues when handling resume paths and arguments.
• Makes the resume utility more robust and Pythonic, especially for automated AWS training recovery workflows.
• Maintains existing functionality for both single-GPU and distributed training resumes with minimal behavioral change.

[github-actions]

All Contributors have signed the CLA. ✅
_{Posted by the CLA Assistant Lite bot.}

[UltralyticsAssistant]

👋 Hello @orbisai0security, thank you for submitting a ultralytics/yolov5 🚀 PR! This is an automated message to help streamline review, and an engineer will assist you soon. Please review the checklist below to help ensure a smooth integration 😊

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov5 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

The diff looks clean. Switching from os.system() to subprocess.Popen() with argv lists removes shell parsing risks and preserves the non-blocking relaunch behavior for both single-GPU and DDP resume paths. I did not find any clear bugs or regressions in the changed lines.

[orbisai0security]

I have read the CLA Document and I sign the CLA