From fe9f63043a71c86c193c5fd0a717c8ef09fe842b Mon Sep 17 00:00:00 2001
From: Whispering Wind <151555003+ReturnFI@users.noreply.github.com>
Date: Fri, 30 Aug 2024 21:33:13 +0330
Subject: [PATCH] Added shlex

Preventing shell injection attacks.
---
 core/scripts/telegrambot/tbot.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/scripts/telegrambot/tbot.py b/core/scripts/telegrambot/tbot.py
index 8bf29e9..0813e36 100644
--- a/core/scripts/telegrambot/tbot.py
+++ b/core/scripts/telegrambot/tbot.py
@@ -4,6 +4,7 @@ import qrcode
 import io
 import json
 import os
+import shlex
 import re
 from dotenv import load_dotenv
 from telebot import types
@@ -17,7 +18,8 @@ bot = telebot.TeleBot(API_TOKEN)
 
 def run_cli_command(command):
     try:
-        result = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT)
+        args = shlex.split(command)
+        result = subprocess.check_output(args, stderr=subprocess.STDOUT)
         return result.decode('utf-8').strip()
     except subprocess.CalledProcessError as e:
         return f'Error: {e.output.decode("utf-8")}'