Potential command injection via unsanitized GraphML node label #251
Description
I was looking through mkconcore.py and noticed a potential security issue in how node labels are parsed
Around line 213, the code cleans up the label like this: nodes_dict[node['id']] = re.sub(r'(\s+|\n)', ' ', node_label)
It only removes whitespace. The problem is that this label is later used to build shell commands in the run scripts (around line 680)
If a user opens a malicious GraphML file where a node label contains shell characters (like ;, &, or |), those characters get written directly into the generated run.bat or run script, leading to command injection when the script is executed
We should probably add a strict regex validation there to allow only alphanumeric characters and underscores, or ensure it's properly quoted.