From 950821cb9bb7fba773ba88e14cd8ade9f9151b8b Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Sat, 25 Apr 2026 06:29:31 +0530 Subject: [PATCH] fix: use subprocess instead of os.system in local_backend.py (#2494) * fix: use subprocess instead of os.system in local_backend.py The sandbox backend and skill evaluation scripts use subprocess * fixing the failing test --------- Co-authored-by: Willem Jiang --- .../harness/deerflow/sandbox/local/local_sandbox.py | 6 +++--- backend/tests/test_local_sandbox_provider_mounts.py | 4 +++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/backend/packages/harness/deerflow/sandbox/local/local_sandbox.py b/backend/packages/harness/deerflow/sandbox/local/local_sandbox.py index 2da0a678f..ae8c948b0 100644 --- a/backend/packages/harness/deerflow/sandbox/local/local_sandbox.py +++ b/backend/packages/harness/deerflow/sandbox/local/local_sandbox.py @@ -288,10 +288,10 @@ class LocalSandbox(Sandbox): timeout=600, ) else: + args = [shell, "-c", resolved_command] result = subprocess.run( - resolved_command, - executable=shell, - shell=True, + args, + shell=False, capture_output=True, text=True, timeout=600, diff --git a/backend/tests/test_local_sandbox_provider_mounts.py b/backend/tests/test_local_sandbox_provider_mounts.py index 18e180e3b..328b1d48d 100644 --- a/backend/tests/test_local_sandbox_provider_mounts.py +++ b/backend/tests/test_local_sandbox_provider_mounts.py @@ -255,7 +255,9 @@ class TestMultipleMounts: sandbox.execute_command("cat /mnt/data/test.txt") # Verify the command received the resolved local path - assert str(data_dir) in captured.get("command", "") + command = captured.get("command", []) + assert isinstance(command, list) and len(command) >= 3 + assert str(data_dir) in command[2] def test_reverse_resolve_path_does_not_match_partial_prefix(self, tmp_path): foo_dir = tmp_path / "foo"