Summary
tests/sherlock_interactives.py currently builds a shell command with string interpolation and executes it with subprocess.check_output(..., shell=True).
command = f"sherlock {args}"
proc_out = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT)Why this is a problem
- it makes the test helper depend on shell parsing instead of argument parsing
- quoting behavior becomes platform-sensitive
- future tests that pass characters such as quotes, semicolons, or shell metacharacters can behave unexpectedly
- the helper is harder to reason about than a direct argv-based subprocess call
Even though this is test code, the helper is meant to model CLI usage, so it is better if it invokes the CLI directly without going through a shell.
Proposed fix
Refactor the helper to:
- build an argv list instead of a shell string
- invoke the module with
sys.executable -m sherlock_project ...
- keep stderr capture and existing error handling behavior intact
Summary
tests/sherlock_interactives.pycurrently builds a shell command with string interpolation and executes it withsubprocess.check_output(..., shell=True).Why this is a problem
Even though this is test code, the helper is meant to model CLI usage, so it is better if it invokes the CLI directly without going through a shell.
Proposed fix
Refactor the helper to:
sys.executable -m sherlock_project ...