From 702927acc2cb98456a879ee70b24ae3ab23a8923 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Tue, 19 Dec 2023 06:17:33 +0000
Subject: [PATCH] Sandbox Process Creation

---
 pyproject.toml   | 1 +
 src/pixee/cli.py | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index b4289d8..5a8a0e5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -15,6 +15,7 @@ dependencies = [
     "click",
     "prompt-toolkit",
     "questionary~=2.0.0",
+    "security~=1.2.0",
 ]
 
 [project.urls]
diff --git a/src/pixee/cli.py b/src/pixee/cli.py
index 07f114b..95f79f7 100644
--- a/src/pixee/cli.py
+++ b/src/pixee/cli.py
@@ -20,6 +20,7 @@
 
 from ._version import __version__
 from .logo import logo2 as logo
+from security import safe_command
 
 # Enable overrides for local testing purposes
 PYTHON_CODEMODDER = os.environ.get("PIXEE_PYTHON_CODEMODDER", "pixee-python-codemods")
@@ -159,8 +160,7 @@ def run_codemodder(
                 f"Applying {num_codemods} {language} codemods",
                 total=num_codemods,
             )
-            command = subprocess.Popen(
-                [codemodder, "--output", codetf.name, path] + common_codemodder_args,
+            command = safe_command.run(subprocess.Popen, [codemodder, "--output", codetf.name, path] + common_codemodder_args,
                 stderr=subprocess.DEVNULL,
                 stdout=subprocess.PIPE if not verbose else None,
             )
@@ -427,8 +427,7 @@ def summarize_results(combined_codetf):
 
 @lru_cache()
 def list_codemods(codemodder: str):
-    result = subprocess.run(
-        [codemodder, "--list"],
+    result = safe_command.run(subprocess.run, [codemodder, "--list"],
         stdout=subprocess.PIPE,
         stderr=subprocess.DEVNULL,
         check=True,