final bandit warning (#13314)

IanMatthewHuff · Ian Huff · web-flow · commit b7dc6795bdb5 · 2020-08-06T12:58:01.000-07:00
Co-authored-by: Ian Huff &lt;ianhuff@Ians-MacBook-Pro.local&gt;
diff --git a/news/3 Code Health/13103.md b/news/3 Code Health/13103.md
@@ -0,0 +1 @@
+Fix bandit issues in vscode_datascience_helpers.
diff --git a/pythonFiles/vscode_datascience_helpers/kernel_launcher.py b/pythonFiles/vscode_datascience_helpers/kernel_launcher.py
@@ -7,7 +7,9 @@
 
 import os
 import sys
-from subprocess import Popen, PIPE
+
+# See comment at the point of our use of Popen
+from subprocess import Popen, PIPE  # nosec
 
 from ipython_genutils.encoding import getdefaultencoding
 from ipython_genutils.py3compat import cast_bytes_py2
@@ -151,7 +153,9 @@ def launch_kernel(
             env["JPY_PARENT_PID"] = str(os.getpid())
 
     try:
-        proc = Popen(cmd, **kwargs)
+        # Popen with shell=False (which is the default) is our safest way to launch a process here
+        # this cmd does come from the jupyter kernelspec argv, but this is consistent with how jupyter works
+        proc = Popen(cmd, **kwargs)  # nosec
     except Exception as exc:
         msg = (
             "Failed to run command:\n{}\n" "    PATH={!r}\n" "    with kwargs:\n{!r}\n"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix bandit issues in vscode_datascience_helpers.`