fix(tools): prevent command injection in px_mkfw.py (#26678)

* fix(tools): prevent command injection in px_mkfw.py

* copilot review: only capture stdout

Tools/px_mkfw.py

@@ -42,6 +42,7 @@
 import argparse
 import json
 import base64
+import os
 import zlib
 import time
 import subprocess
@@ -99,14 +100,13 @@ if args.summary != None:
 if args.description != None:
 	desc['description']	= str(args.description)
 if args.git_identity != None:
-	cmd = "git --git-dir '{:}/.git' describe --exclude ext/* --always --tags".format(args.git_identity)
+	git_dir = os.path.join(args.git_identity, '.git')
-	p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout
+	p = subprocess.run(["git", "--git-dir", git_dir, "describe", "--exclude", "ext/*", "--always", "--tags"],
-	desc['git_identity']	= p.read().strip().decode('utf-8')
+		stdout=subprocess.PIPE, text=True)
-	p.close()
+	desc['git_identity']	= p.stdout.strip()
-	cmd = "git --git-dir '{:}/.git' rev-parse --verify HEAD".format(args.git_identity)
+	p = subprocess.run(["git", "--git-dir", git_dir, "rev-parse", "--verify", "HEAD"],
-	p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout
+		stdout=subprocess.PIPE, text=True)
-	desc['git_hash']	= p.read().strip().decode('utf-8')
+	desc['git_hash']	= p.stdout.strip()
-	p.close()
 if args.parameter_xml != None:
 	f = open(args.parameter_xml, "rb")
 	bytes = f.read()