Improper Output Neutralization for Logs

Summary

A Command Injection vulnerability exists in the ms-swift web UI, specifically in the "LLMTrain#train()" and "LLMTrain#train_local()" methods. The application directly concatenates user-supplied input (e.g., "--output_dir") into a shell command and executes it using "os.system()". This allows an attacker to inject arbitrary shell commands via specially crafted inputs. This issue affects versions prior to 3.7.0.