Command Injection risk in rahu.py via insecure os.popen usage

[w1z1y123]

I recently analyzed nsepython using Bandit and identified a critical security vulnerability involving Command Injection.

Location
File: nsepython/rahu.py
Line: 32

cmd = f'curl -b cookies.txt "{encoded_url}" {curl_headers}'
raw = os.popen(cmd).read()

The Vulnerability
The code constructs a system command using f-strings and executes it directly via os.popen. This is dangerous because if any part of encoded_url or curl_headers contains untrusted input (or if the library is used in a web app context), an attacker could inject shell commands (e.g., using ; or &&).
Recommendation
Avoid using os.popen with shell commands. Instead, use the standard python requests library to handle HTTP requests, which is secure by design and does not spawn a system shell.

# Suggested Fix
import requests
response = requests.get(encoded_url, headers=headers, cookies=cookies)