From 4b8191ea94e943907a3444b1c72a91bd1f261002 Mon Sep 17 00:00:00 2001
From: lixintao <lixintao@uniontech.com>
Date: Fri, 28 Jun 2024 16:00:06 +0800
Subject: [PATCH] Risk handling with shell=True

---
 avocado/utils/network/interfaces.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/avocado/utils/network/interfaces.py b/avocado/utils/network/interfaces.py
index 23bb63ed21..9c7acc1fc7 100644
--- a/avocado/utils/network/interfaces.py
+++ b/avocado/utils/network/interfaces.py
@@ -802,10 +802,9 @@ def ping_flood(self, int_name, peer_ip, ping_count):
                   returns False on ping flood failure.
         :rtype: boolean
         """
-        cmd = f"ping -I {int_name} {peer_ip} -c {ping_count} -f "
+        cmd = ["ping", "-I", str(int_name), str(peer_ip), "-c", str(ping_count), "-f"]
         ping_process = subprocess.Popen(
             cmd,
-            shell=True,
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             universal_newlines=True,
@@ -819,9 +818,10 @@ def ping_flood(self, int_name, peer_ip, ping_count):
                 msg = "ping flood failed to remote machine, Please check the logs"
                 LOG.debug(msg)
                 return False
-            return True
+            break
         ping_process.stdout.close()
         ping_process.wait()
+        return True
 
     def get_device_IPI_name(self):
         """
@@ -839,11 +839,11 @@ def get_device_IPI_name(self):
                 f"awk -F/ '{{print $3}}'"
             )
             interface_type = process.system_output(
-                cmd, shell=True, ignore_status=True
+                cmd, ignore_status=True
             ).decode("utf-8")
             cmd = f"echo {interface_type} | sed 's/@/-/' "
             interface_type = process.system_output(
-                cmd, shell=True, ignore_status=True
+                cmd, ignore_status=True
             ).decode("utf-8")
             return interface_type
         elif self.is_veth():