fix: validate subcommand name before dynamic import (#4620)

RinZ27 · web-flow · commit 1386c70ea2b1 · 2026-03-05T13:23:58.000Z
Validation for subcommand names in `execute_subcommand` ensures that
only alphanumeric characters and underscores are processed. While
checking the command execution flow, I noticed that `import_module` was
receiving values directly from the scenario configuration without
sanitization. This change prevents potential unintended module loading
attempts through special characters or path traversal sequences in the
subcommand string.

Existing tests for command execution remain unchanged, and I added a new
test case to verify that invalid subcommand names are correctly rejected
with a `MoleculeError`. Verified the changes locally with `ruff` to
ensure compliance with the project's linting standards.
diff --git a/src/molecule/command/base.py b/src/molecule/command/base.py
@@ -28,6 +28,7 @@
 import fnmatch
 import importlib
 import logging
+import re
 import shutil
 import subprocess
 
@@ -416,10 +417,18 @@ def execute_subcommand(
         current_config: An instance of a Molecule config.
         subcommand_and_args: A string representing the subcommand and arguments.
 
+    Raises:
+        MoleculeError: If an invalid subcommand name is provided.
+
     Returns:
         The result of the subcommand.
     """
     (subcommand, *args) = subcommand_and_args.split(" ")
+
+    if not re.fullmatch(r"[a-zA-Z0-9_-]+", subcommand):
+        msg = f"Invalid subcommand name: {subcommand}"
+        raise MoleculeError(msg)
+
     command_module = importlib.import_module(f"molecule.command.{subcommand}")
     command = getattr(command_module, text.camelize(subcommand))
 
diff --git a/src/molecule/exceptions.py b/src/molecule/exceptions.py
@@ -29,7 +29,7 @@ def __init__(
             message: The message to display about the problem.
             code: Exit code to use when exiting.
         """
-        super().__init__()
+        super().__init__(message)
         self.code = code
         self.message = message
 
diff --git a/tests/unit/command/test_base.py b/tests/unit/command/test_base.py
@@ -31,7 +31,7 @@
 
 from molecule import config, util
 from molecule.command import base
-from molecule.exceptions import ImmediateExit, ScenarioFailureError
+from molecule.exceptions import ImmediateExit, MoleculeError, ScenarioFailureError
 from molecule.shell import main
 
 
@@ -361,6 +361,22 @@ def test_execute_subcommand(config_instance: config.Config) -> None:
     assert config_instance.action == "list"
 
 
+def test_execute_subcommand_invalid(config_instance: config.Config) -> None:
+    """Ensure execute_subcommand raises MoleculeError for invalid subcommands.
+
+    Args:
+        config_instance: Mocked config_instance fixture.
+
+    Returns:
+        None
+    """
+    with pytest.raises(MoleculeError, match="Invalid subcommand name"):
+        base.execute_subcommand(config_instance, "invalid.command")
+
+    with pytest.raises(MoleculeError, match="Invalid subcommand name"):
+        base.execute_subcommand(config_instance, "../../malicious")
+
+
 def test_execute_scenario(
     mocker: MockerFixture,
     patched_execute_subcommand: MagicMock,
