Fix command injection vulnerabilities in bonding.py and load_config.py

[Copilot]

Two command injection vulnerabilities where user- or config-controlled input was interpolated into shell commands executed with shell=True.

src/op_mode/bonding.py

The interface parameter (user-supplied CLI input) was passed directly into a shell command via f-string with shell=True, allowing arbitrary command execution via crafted interface names (e.g., bond0; rm -rf /).

Replaced both subprocess.run calls with direct Python file I/O — no subprocess needed to read /proc/net/bonding/<iface>:

# Before
data = subprocess.run(f"cat /proc/net/bonding/{interface}",
                      shell=True, ...).stdout.decode('utf-8')

# After
with open(f'/proc/net/bonding/{interface}', 'r') as f:
    data = f.read()

Also removed the now-unused subprocess import.

python/vyos/load_config.py

set_commands() passed config diff output into popen() with shell=True via f-string. A malicious config file containing shell metacharacters in node values (e.g., $(cmd), ;cmd) could execute arbitrary commands during a config load.

Replaced with a proper argument list (invoking popen with shell=False) and added validation that the operation subcommand contains only safe characters before constructing the binary path:

# Before
out, rc = popen(f'/opt/vyatta/sbin/my_{op}', shell=True, stderr=DEVNULL)

# After
parts = op.split()
if not parts or not parts[0].replace('-', '').replace('_', '').isalnum():
    continue
cmd = [f'/opt/vyatta/sbin/my_{parts[0]}'] + parts[1:]
out, rc = popen(cmd, stderr=DEVNULL)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.