Skip to content

Insecure command invocation in setup.py #868

New issue
New issue
Open
Bug
Open
Insecure command invocation in setup.py#868
Bug
Labels
area/healthInvolves general matters of project configuration, health, maintenance, and similar concernsarea/pythonInvolves the Python code in qsimcontributors welcomeHelp with this would be appreciatedpriority/p2Medium priority
Milestone
Release 0.24.0
@mhucka

Description

@mhucka
mhucka
opened on Aug 19, 2025

Describe the issue

CodeQL scanning reports a vulnerability in setup.py: https://github.com/quantumlib/qsim/security/code-scanning/51

        if not os.path.exists(self.build_temp):
            os.makedirs(self.build_temp)
        subprocess.check_call(
            ["cmake", ext.sourcedir] + cmake_args, cwd=self.build_temp, env=env

The check_call may allow the user to execute malicious code.

What version of qsim are you using?

0.23.0.dev0

How can the issue be reproduced?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/healthInvolves general matters of project configuration, health, maintenance, and similar concernsarea/pythonInvolves the Python code in qsimcontributors welcomeHelp with this would be appreciatedpriority/p2Medium priority

    Type

    Bug

    Projects

    qsim 2025–2026 roadmap

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions