refactor: disable spawning a shell on subprocess

csops/run.py

@@ -8,25 +8,30 @@ from csops._version import __version__
 
 def encrypt(args):
     encrypted_filename = f"{args.file.stem}.enc{args.file.suffix}"
-    subprocess.run(
-        "sops --encrypt --gcp-kms "
-        f"{CONFIG.gcp_kms_key} {args.file} >  {encrypted_filename}",
+    encrypted_contents = subprocess.run(
+        ["sops", "--encrypt", "--gcp-kms", CONFIG.gcp_kms_key, args.file],
         check=True,
         text=True,
-        shell=True,
+        shell=False,
+        capture_output=True,
     )
+    with pathlib.Path(encrypted_filename).open("w", encoding="utf-8") as file:
+        file.write(encrypted_contents.stdout)
     print(encrypted_filename)
     raise SystemExit(0)
 
 
 def decrypt(args):
     decrypted_filename = f"{args.file.stem.split('.')[0]}{args.file.suffix}"
-    subprocess.run(
-        f"sops --decrypt {args.file} >  {decrypted_filename}",
+    decrypted_contents = subprocess.run(
+        ["sops", "--decrypt", args.file],
         check=True,
         text=True,
-        shell=True,
+        shell=False,
+        capture_output=True,
     )
+    with pathlib.Path(decrypted_filename).open("w", encoding="utf-8") as file:
+        file.write(decrypted_contents.stdout)
     print(decrypted_filename)
     raise SystemExit(0)
 
@@ -35,7 +40,7 @@ def run():
     parser = argparse.ArgumentParser()
     parser.add_argument("flag", type=str, nargs=1)
     parser.add_argument("file", type=pathlib.Path)
-    parser.add_argument('-v', '--version', action='version', version='%(prog)s ' + __version__)
+    parser.add_argument("-v", "--version", action="version", version="%(prog)s " + __version__)
     args = parser.parse_args()
 
     try: