[Security][API] Potential command injection in translation CLI commands

### Contact Details
security-automation@local

### This bug is related to UI or API?
API

### What happened?
The translation CLI uses shell command strings for `pybabel` execution and accepts a user-controlled `lang` argument. This pattern can become command injection when shell metacharacters are passed.

Expected behavior:
- Execute `pybabel` via argument list (no shell string execution)
- Validate `lang` against a strict allowlist pattern

Patch prepared:
- Replaced shell execution with subprocess argument list
- Added language code validation before execution

Reference branch/commit:
- Branch: `codex/sec-python-rescan-20260308`
- Commit: `5f0137d35`

### Version
newest

### What browsers are you seeing the problem on?
Chrome

### Relevant log output
```shell
Bandit finding before fix:
- api/commands/common.py:118 B605 HIGH/HIGH
  Starting a process with a shell, possible injection detected.
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security][API] Potential command injection in translation CLI commands #765

Contact Details

This bug is related to UI or API?

What happened?

Version

What browsers are you seeing the problem on?

Relevant log output

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security][API] Potential command injection in translation CLI commands #765

Description

Contact Details

This bug is related to UI or API?

What happened?

Version

What browsers are you seeing the problem on?

Relevant log output

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions