Security: Command Injection in get_members via subprocess.check_output

[tomaioo]

Summary

Security: Command Injection in get_members via subprocess.check_output

Problem

Severity: Medium | File: gcm/monitoring/get_members.py:L38

The get_members_raw method in CliObjectImpl passes user-provided groups tuple directly to subprocess.check_output without sanitization. While the groups come from click arguments, if any part of the group name contains shell metacharacters, it could lead to command execution. More critically, the get_members function calls obj.get_members_raw(groups) where obj can be injected, but the default implementation uses subprocess without shell=False, which is safer. However, the getent command execution could still be problematic if malicious group names are crafted.

Solution

Ensure all elements in the groups tuple are validated to be valid group names (alphanumeric with limited safe characters) before passing to subprocess. Consider using a regex like ^[a-zA-Z0-9_-]+$ to validate group names.

Changes

• gcm/monitoring/get_members.py (modified)

[meta-cla]

Hi @tomaioo!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

[github-actions]

CI Commands

The following CI workflows run automatically on every push and pull request:

Workflow	What it runs
GPU Cluster Monitoring Python CI	lint, tests, typecheck, format, deb build, pyoxidizer builds
Go packages CI	shelper tests, format, lint

---

The following commands can be used by maintainers to trigger additional tests that require access to secrets:

Command	Description	Requires approval?
/metaci tests	Runs Meta internal integration tests (pytest)	Yes — a maintainer must trigger the command and approve the deployment request
/metaci integration tests	Same as above (alias)	Yes

Note: Only repository maintainers (OWNER association) can trigger /metaci commands. After commenting the command, a maintainer must also navigate to the Actions tab and approve the deployment to the graph-api-access environment before the jobs will run. See the approval guidelines for what to approve or reject.