From b11f43a4db96cb0533f29739faced172c07244f6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 18 Mar 2026 00:14:35 +0100
Subject: [PATCH] top-complexity: prevent filename-based shell injection risk

As we run this script in CI, this should reduce the risk of mischief

Found by Codex Security

Closes #20969
---
 scripts/top-complexity | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/scripts/top-complexity b/scripts/top-complexity
index 69a9256bb8..f2d869f607 100755
--- a/scripts/top-complexity
+++ b/scripts/top-complexity
@@ -60,8 +60,8 @@ if(! -r "lib/url.c" || ! -r "lib/urldata.h") {
 }
 
 my @files;
-open(F, "git ls-files '*.c'|");
-while(<F>) {
+open(my $git, "-|", "git", "ls-files", "*.c") or die "git ls-files failed: $!";
+while(<$git>) {
     chomp $_;
     my $file = $_;
     # we cannot filter these with git so do it here
@@ -69,9 +69,11 @@ while(<F>) {
         push @files, $file;
     }
 }
+close($git);
 
-my $cmd = "$pmccabe ".join(" ", @files);
-my @output=`$cmd`;
+open(my $pmc, "-|", $pmccabe, @files) or die "pmccabe failed: $!";
+my @output = <$pmc>;
+close($pmc);
 
 # these functions can have these scores, but not higher
 my %whitelist = (