From 343fd01e19c3ce485029661a2e5d25883500a311 Mon Sep 17 00:00:00 2001
From: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
Date: Fri, 6 Mar 2026 14:23:20 -0900
Subject: [PATCH] fix(tools): prevent command injection in px_mkfw.py (#26678)

* fix(tools): prevent command injection in px_mkfw.py

* copilot review: only capture stdout
---
 Tools/px_mkfw.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Tools/px_mkfw.py b/Tools/px_mkfw.py
index f31d2a8972..8ed8d4aa19 100755
--- a/Tools/px_mkfw.py
+++ b/Tools/px_mkfw.py
@@ -42,6 +42,7 @@
 import argparse
 import json
 import base64
+import os
 import zlib
 import time
 import subprocess
@@ -99,14 +100,13 @@ if args.summary != None:
 if args.description != None:
 	desc['description']	= str(args.description)
 if args.git_identity != None:
-	cmd = "git --git-dir '{:}/.git' describe --exclude ext/* --always --tags".format(args.git_identity)
-	p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout
-	desc['git_identity']	= p.read().strip().decode('utf-8')
-	p.close()
-	cmd = "git --git-dir '{:}/.git' rev-parse --verify HEAD".format(args.git_identity)
-	p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout
-	desc['git_hash']	= p.read().strip().decode('utf-8')
-	p.close()
+	git_dir = os.path.join(args.git_identity, '.git')
+	p = subprocess.run(["git", "--git-dir", git_dir, "describe", "--exclude", "ext/*", "--always", "--tags"],
+		stdout=subprocess.PIPE, text=True)
+	desc['git_identity']	= p.stdout.strip()
+	p = subprocess.run(["git", "--git-dir", git_dir, "rev-parse", "--verify", "HEAD"],
+		stdout=subprocess.PIPE, text=True)
+	desc['git_hash']	= p.stdout.strip()
 if args.parameter_xml != None:
 	f = open(args.parameter_xml, "rb")
 	bytes = f.read()