Turn Shell Commands into RESTful Endpoints with Flask
Posted inDevOps / CLI Tools

Turn Shell Commands into RESTful Endpoints with Flask

Turn Shell Commands into RESTful Endpoints with Flask

 

Introduction: Sometimes you need to execute system-level shell commands remotely—perhaps to monitor logs, trigger batch operations, or control infrastructure components. Instead of SSHing into a server, why not expose controlled shell commands over HTTP? With Flask, a lightweight Python web framework, we can wrap shell commands inside REST endpoints safely and efficiently.

This post will guide you through how to turn ordinary shell commands into RESTful endpoints using Flask. You’ll learn how to structure the project, safely run commands, return formatted outputs, and even extend the system for automation purposes.

1. Setting Up the Flask Environment

Before handling any shell commands, you need a stable Flask environment. Flask offers simplicity while being robust enough to handle various use cases.

# Create a virtual environment
python3 -m venv venv
source venv/bin/activate
pip install Flask

Then, create a file app.py and import the essentials:

from flask import Flask, jsonify, request
import subprocess

app = Flask(__name__)

This simple setup readies Flask to serve HTTP endpoints that will soon execute shell commands safely.

2. Executing Shell Commands via Subprocess

Python’s subprocess module is the gold standard for executing shell commands securely. Using subprocess.run() allows fine-grained control over execution and output handling.

@app.route('/run', methods=['POST'])
def run_command():
    data = request.get_json()
    command = data.get('cmd')

    if not command:
        return jsonify({'error': 'Missing command'}), 400

    try:
        result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
        return jsonify({
            'stdout': result.stdout.strip(),
            'stderr': result.stderr.strip(),
            'returncode': result.returncode
        })
    except subprocess.TimeoutExpired:
        return jsonify({'error': 'Command timed out'}), 408

This endpoint receives a JSON payload with the desired shell command, runs it inside a subprocess, and returns captured outputs as JSON. The timeout parameter prevents rogue commands from hanging indefinitely.

3. Securing Command Execution

Exposing shell commands online poses serious security risks. You should whitelist safe commands instead of allowing arbitrary execution. Here’s how to enforce that.

ALLOWED_COMMANDS = {
    'disk_usage': 'df -h',
    'list_processes': 'ps aux',
    'uptime': 'uptime'
}

@app.route('/safe-run', methods=['POST'])
def run_safe_command():
    data = request.get_json()
    alias = data.get('cmd')

    if alias not in ALLOWED_COMMANDS:
        return jsonify({'error': 'Command not allowed'}), 403

    result = subprocess.run(ALLOWED_COMMANDS[alias], shell=True, capture_output=True, text=True)
    return jsonify({'output': result.stdout.strip()})

Whitelisting creates a controlled safety layer—users can only invoke predefined aliases. You could extend this with role-based authentication or API key verification for even tighter security.

4. Formatting Command Outputs and Error Handling

Some commands produce multi-line or formatted outputs. For better presentation, you can structure responses more intelligently before sending them back to clients.

def parse_output(output):
    return [line for line in output.split('\n') if line.strip()]

@app.route('/parse-run', methods=['POST'])
def run_and_parse():
    data = request.get_json()
    alias = data.get('cmd')

    if alias not in ALLOWED_COMMANDS:
        return jsonify({'error': 'Invalid command'}), 403

    result = subprocess.run(ALLOWED_COMMANDS[alias], shell=True, capture_output=True, text=True)
    clean_output = parse_output(result.stdout)

    return jsonify({
        'status': 'ok' if result.returncode == 0 else 'error',
        'lines': clean_output
    })

This approach is great for commands like df -h or ps aux where structured multi-line outputs are more readable when parsed into JSON arrays. It helps front-end consumers render responses beautifully.

5. Extending with Background Tasks and Async Patterns

What if the command takes longer? You can run it asynchronously using subprocess.Popen or external task queues like Celery for background execution.

import threading

def async_worker(cmd):
    subprocess.run(cmd, shell=True)

@app.route('/background', methods=['POST'])
def run_background():
    data = request.get_json()
    alias = data.get('cmd')

    if alias not in ALLOWED_COMMANDS:
        return jsonify({'error': 'Command not allowed'}), 403

    thread = threading.Thread(target=async_worker, args=(ALLOWED_COMMANDS[alias],))
    thread.start()

    return jsonify({'status': 'started', 'command': alias})

This model frees the HTTP response immediately while the command runs in the background. It’s ideal for long-running operations like backups or updates.

6. Deployment and Performance Tips

For a production setup, run Flask via Gunicorn or uWSGI behind NGINX. Ensure HTTPS for secure command transport.

  • Use shell=False when possible for parameterized safety.
  • Apply request throttling to prevent overload attacks.
  • Log timestamps and user identifiers for auditability.
  • Cache frequent, read-only command results to reduce load.

Conclusion: Turning shell commands into RESTful endpoints is a powerful automation technique. It bridges traditional system scripts with modern web workflows, simplifying remote management, monitoring, and execution. By combining Flask’s simplicity with security best practices, your infrastructure can gain agility while remaining safe.

 

Useful links: