Built a defensive subprocess wrapper with allow-list validation, timeout handling, structured responses, sequential pipeline support, and execution logging.
- Basic Python programming knowledge (functions, classes, exceptions)
- Understanding of command-line operations in Linux
- Familiarity with Python standard library concepts
- Basic knowledge of security principles
- Operating System: Ubuntu 24.04 LTS cloud lab environment
- Primary User: toor
- Python Runtime: Python 3.12.x in a virtual environment
- Execute system commands securely using Python's subprocess module
- Implement input validation to prevent command injection attacks
- Handle errors and timeouts in subprocess execution
- Build a reusable library for safe command execution
This lab was completed through the following high-level activities:
- Step 1: Start Your Lab Environment
- Step 2: Connect and Prepare
- Step 3: Create Project Structure
- Step 1.1: Create the Base Runner Class
- Step 1.2: Implement Command Validation
- Step 1.3: Implement Command Execution
- Step 1.4: Implement Pipeline Execution (Optional Challenge)
- Step 2.1: Create Test Script
lab02-safe-subprocess-runner-library/
├── README.md
├── commands.sh
├── output.txt
├── interview_qna.md
├── troubleshooting.md
└── project/
examples.py
logs/subprocess.log
safe_runner.py
test_runner.py
verify_security.py
verify_timeout.py
- Expected: All dangerous commands should be blocked.
- Expected: Command should timeout after 2 seconds.
- Expected: Log file should contain execution records.
- Why command allow-lists are safer than trying to blacklist dangerous inputs.
- How to use subprocess.run() with timeouts and explicit result handling.
- How to block shell metacharacters, path traversal, and unsafe absolute paths.
- How to log subprocess activity for security auditing and troubleshooting.
This lab has direct security relevance because it focuses on preventing command injection, restricting execution scope, and recording execution activity for auditability.
Automation often needs to call operating system utilities. Without strict validation, subprocess usage can become a command injection risk. This lab reinforced safer process execution patterns that are directly relevant to secure automation.
- Secure wrappers around operational scripts and maintenance tasks.
- Controlled execution layers inside backend services or agents.
- Security-aware automation in CI/CD jobs and support tooling.
Implemented and tested a reusable safe subprocess runner that blocked dangerous input and handled errors predictably.
This lab strengthened my hands-on foundation in safe subprocess runner library and produced a clean set of project files, command history, execution output, interview notes, and troubleshooting guidance for portfolio use.
All code, commands, outputs, and support material used for this lab are organized in this folder for traceability and GitHub documentation readiness.