Code Room
Code reviewHardcr-g445
Subject Command injectionLevel Senior–Staff~24 minCommon in Security interviewsIndustries Software development

Question

Review this Python CI service that clones a user-supplied repo URL, correctly avoiding the shell.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewpython
import subprocess, os def clone(repo_url, build_id):    dest = os.path.join('/tmp/builds', build_id)    os.makedirs(dest, exist_ok=True)    subprocess.run(        ['git', 'clone', '--depth', '1', repo_url, dest],        check=True,        timeout=120,        capture_output=True,    )    return dest
Run or narrate your approach, then ask the coach.