fix(security): pipe sudo password via stdin instead of shell cmdline

2026-03-08 17:46:11 +03:30
parent a2ea85924a
commit e9742e202f
8 changed files with 132 additions and 45 deletions
--- a/tools/environments/singularity.py
+++ b/tools/environments/singularity.py
@@ -228,7 +228,15 @@ class SingularityEnvironment(BaseEnvironment):

        effective_timeout = timeout or self.timeout
        work_dir = cwd or self.cwd
-        exec_command = self._prepare_command(command)
+        exec_command, sudo_stdin = self._prepare_command(command)
+
+        # Merge sudo password (if any) with caller-supplied stdin_data.
+        if sudo_stdin is not None and stdin_data is not None:
+            effective_stdin = sudo_stdin + stdin_data
+        elif sudo_stdin is not None:
+            effective_stdin = sudo_stdin
+        else:
+            effective_stdin = stdin_data

        # apptainer exec --pwd doesn't expand ~, so prepend a cd into the command
        if work_dir == "~" or work_dir.startswith("~/"):
@@ -245,12 +253,12 @@ class SingularityEnvironment(BaseEnvironment):
            proc = subprocess.Popen(
                cmd,
                stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
-                stdin=subprocess.PIPE if stdin_data else subprocess.DEVNULL,
+                stdin=subprocess.PIPE if effective_stdin else subprocess.DEVNULL,
                text=True,
            )
-            if stdin_data:
+            if effective_stdin:
                try:
-                    proc.stdin.write(stdin_data)
+                    proc.stdin.write(effective_stdin)
                    proc.stdin.close()
                except Exception:
                    pass