From 19850d442e789e9f93bcbd83d7e23779e3bd7c10 Mon Sep 17 00:00:00 2001
From: Ubuntu <ubuntu@ip-172-31-32-15.us-west-2.compute.internal>
Date: Tue, 7 Apr 2026 05:43:25 +0000
Subject: [PATCH] fix: V-001 security vulnerability

Automated security fix generated by Orbis Security AI
---
 tests/sherlock_interactives.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tests/sherlock_interactives.py b/tests/sherlock_interactives.py
index c28b9dc06a..6e91fcee1a 100644
--- a/tests/sherlock_interactives.py
+++ b/tests/sherlock_interactives.py
@@ -1,6 +1,7 @@
 import os
 import platform
 import re
+import shlex
 import subprocess
 
 class Interactives:
@@ -8,13 +9,13 @@ def run_cli(args:str = "") -> str:
         """Pass arguments to Sherlock as a normal user on the command line"""
         # Adapt for platform differences (Windows likes to be special)
         if platform.system() == "Windows":
-            command:str = f"py -m sherlock_project {args}"
+            command:list = ["py", "-m", "sherlock_project"] + shlex.split(args)
         else:
-            command:str = f"sherlock {args}"
+            command:list = ["sherlock"] + shlex.split(args)
 
         proc_out:str = ""
         try:
-            proc_out = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT)
+            proc_out = subprocess.check_output(command, shell=False, stderr=subprocess.STDOUT)
             return proc_out.decode()
         except subprocess.CalledProcessError as e:
             raise InteractivesSubprocessError(e.output.decode())