## PDSA-2023-005: Command injection in fs.py

### CVE Number

CVE-2023-38673

### Impact

`os.system` in fs.py can lead to command injection. The PoC is as follows:

```python
from paddle.distributed.fleet.utils import LocalFS

client = LocalFS()
client.mkdirs("hi;pwd;")
```

### Patches

We have patched the issue in commit [2bfe358043096fdba9e2a4cf0f5740102b37fd8f](https://github.com/PaddlePaddle/Paddle/commit/2bfe358043096fdba9e2a4cf0f5740102b37fd8f).
The fix will be included in PaddlePaddle 2.5.0.

### For more information

Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.

### Attribution

This vulnerability has been reported by Xiaochen Guo from Huazhong University of Science and Technology.