Blocking subprocess call inside an async route handler
Part of Code Quality & Syntax, which counts for 20% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
subprocess.run/call/check_output/check_call/Popen and os.system all block the calling thread until the child process exits, freezing the event loop for every other request in the meantime.
Why it matters
subprocess.run/call/check_output/Popen and os.system all block the calling thread until the child process finishes. Inside an async def handler that freezes the event loop for every other request for as long as the subprocess takes to run, which can be seconds for anything beyond a trivial command.
How to fix it
Use asyncio.create_subprocess_exec or asyncio.create_subprocess_shell and await its completion, or move the call into a thread with await run_in_threadpool(...) if the project cannot adopt the asyncio subprocess API right away. Either way, keep validating/sanitizing any request-derived arguments the same as before; this fix is about blocking, not about command injection.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo