@rivenfornotification if you get a chance have a read through my article on Input Validation: Necessary but Not Sufficient; It Doesn't Target the Fundamental Issue . It primary highlights both of your points.
As I mentioned above, this challenge can be solved in other ways as well. The expected way is via enforcing URL schema validation against the input. That is to prevent only a single avenue of attack which is arbitrary command execution. Is this enough? Maybe. Do we need to do more? Yes. Setting shell=False is another layer of defence that as I described in the article, separates data from code. Anytime we mix data with code, we can have this insecure design pattern. Are there still other vulnerabilities in the app after this fix? Yes! but it is not the focus.
In reality, we refactor the code and completely remove any system call. External service calls can be done in a lot safer way than what we see in this easy challenge. The point here was focusing on getting a robust URL schema input validation and that’s why Popen is mocked.
We are all learning in this community. We aim to be constructive and helpful. I may also suggest, to take a look at the Play SDK and refactor this challenge with the tests that you think most suit. I can offer to review and publish it for you on SecDim.