Fix command injection on subdomain gathering

.github/SECURITY.md

@@ -30,6 +30,8 @@ Thanks to these individuals for reporting Security Issues in reNgine.
 
 ### 2022
 
+* [HIGH] [Blind command injection](https://huntr.dev/bounties/b255cf59-9ecd-4255-b9a2-b40b5ec6c572/) in CMS Detector, Reported by [Abdulrahman Abdullah](https://github.com/ph33rr)
+
 * [LOW] [Stored XSS](https://huntr.dev/bounties/dfd440ba-4330-413c-8b21-a3d8bf02a67e/) on Import Targets via filename, Reported by [Veeshraj Ghimire](https://github.com/V35HR4J)
 
 * [LOW] [Stored XSS](https://huntr.dev/bounties/8ea5d3a6-f857-45e4-9473-e4d9cb8f7c77/) on HackerOne Markdown template, Reported by [Smaran Chand](https://github.com/smaranchand) and [Ayoub Elaich](https://github.com/sicks3c)
@@ -38,6 +40,7 @@ Thanks to these individuals for reporting Security Issues in reNgine.
 
 * [LOW] [HTML Injection](https://huntr.dev/bounties/da2d32a1-8faf-453d-8fa8-c264fd8d7806/) in Subscan, Reported by [nerrorsec](https://github.com/nerrorsec)
 
+
 ### 2021
 * [LOW] [Stored XSS](https://github.com/yogeshojha/rengine/issues/178) on Detail Scan Page via Page Title Parameter, Reported by [omemishra](https://github.com/omemishra)
 

web/reNgine/tasks.py

@@ -551,7 +551,8 @@ def subdomain_scan(
 						amass_command += ' -config /root/.config/amass.ini'
 					# Run Amass Passive
 					logging.info(amass_command)
-					os.system(amass_command)
+					process = subprocess.Popen(amass_command.split())
+					process.wait()
 
 				elif tool == 'amass-active':
 					amass_command = 'amass enum -active -d {} -o {}/from_amass_active.txt'.format(
@@ -573,23 +574,26 @@ def subdomain_scan(
 
 					# Run Amass Active
 					logging.info(amass_command)
-					os.system(amass_command)
+					process = subprocess.Popen(amass_command.split())
+					process.wait()
 
 				elif tool == 'assetfinder':
 					assetfinder_command = 'assetfinder --subs-only {} > {}/from_assetfinder.txt'.format(
 						domain.name, results_dir)
 
 					# Run Assetfinder
 					logging.info(assetfinder_command)
-					os.system(assetfinder_command)
+					process = subprocess.Popen(assetfinder_command.split())
+					process.wait()
 
 				elif tool == 'sublist3r':
 					sublist3r_command = 'python3 /usr/src/github/Sublist3r/sublist3r.py -d {} -t {} -o {}/from_sublister.txt'.format(
 						domain.name, threads, results_dir)
 
 					# Run sublist3r
 					logging.info(sublist3r_command)
-					os.system(sublist3r_command)
+					process = subprocess.Popen(sublist3r_command.split())
+					process.wait()
 
 				elif tool == 'subfinder':
 					subfinder_command = 'subfinder -d {} -t {} -o {}/from_subfinder.txt'.format(
@@ -600,15 +604,17 @@ def subdomain_scan(
 
 					# Run Subfinder
 					logging.info(subfinder_command)
-					os.system(subfinder_command)
+					process = subprocess.Popen(subfinder_command.split())
+					process.wait()
 
 				elif tool == 'oneforall':
 					oneforall_command = 'python3 /usr/src/github/OneForAll/oneforall.py --target {} run'.format(
 						domain.name, results_dir)
 
 					# Run OneForAll
 					logging.info(oneforall_command)
-					os.system(oneforall_command)
+					process = subprocess.Popen(oneforall_command.split())
+					process.wait()
 
 					extract_subdomain = "cut -d',' -f6 /usr/src/github/OneForAll/results/{}.csv >> {}/from_oneforall.txt".format(
 						domain.name, results_dir)
@@ -631,7 +637,8 @@ def subdomain_scan(
 						execution_command = execution_command.replace('{OUTPUT}', '{}/from_{}.txt'.format(results_dir, tool))
 						execution_command = execution_command.replace('{PATH}', custom_tool.github_clone_path) if '{PATH}' in execution_command else execution_command
 						logger.info('Custom tool {} running with command {}'.format(tool, execution_command))
-						os.system(execution_command)
+						process = subprocess.Popen(execution_command.split())
+						process.wait()
 					else:
 						logger.error('Sorry can not run this tool! because TARGET and OUTPUT are not available!')
 	except Exception as e: