From bc0855c7030d41c56eba3175f6b8a756bf65e1b5 Mon Sep 17 00:00:00 2001
From: Ali Razmjoo <ali.razmjoo1994@gmail.com>
Date: Wed, 4 Sep 2024 15:12:44 +0200
Subject: [PATCH] Fix unsafe shell command in luigi/contrib/lsf.py

Fixes #3304

Update `track_job` function to use `shell=False` in `subprocess.Popen` call.

* Change the `cmd` variable to be a list of arguments instead of a single string.
* Set the `shell` parameter to `False` in the `subprocess.Popen` call.
---
 luigi/contrib/lsf.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 luigi/contrib/lsf.py

diff --git a/luigi/contrib/lsf.py b/luigi/contrib/lsf.py
old mode 100755
new mode 100644
index 44e111b670..ae7a13d747
--- a/luigi/contrib/lsf.py
+++ b/luigi/contrib/lsf.py
@@ -81,9 +81,9 @@ def track_job(job_id):
     - "EXIT"
     based on the LSF documentation
     """
-    cmd = "bjobs -noheader -o stat {}".format(job_id)
+    cmd = ["bjobs", "-noheader", "-o", "stat", str(job_id)]
     track_job_proc = subprocess.Popen(
-        cmd, stdout=subprocess.PIPE, shell=True)
+        cmd, stdout=subprocess.PIPE, shell=False)
     status = track_job_proc.communicate()[0].strip('\n')
     return status