Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[inventec] Replace os.system and remove subprocess with shell=True #12108

Merged
merged 2 commits into from
Oct 14, 2022

Conversation

maipbui
Copy link
Contributor

@maipbui maipbui commented Sep 19, 2022

Signed-off-by: maipbui maibui@microsoft.com

Dependency: #12065

Why I did it

  1. getstatusoutput is used without a static string and it uses shell=True
  2. subprocess() - when using with shell=True is dangerous. Using subprocess function without a static string can lead to command injection.
  3. os - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.

How I did it

  1. use getstatusoutput without shell=True
  2. subprocess() - use shell=False instead. use an array string. Ref: https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation
  3. os - use with subprocess

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Ensure to add label/tag for the feature raised. example - PR#2174 where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Sep 19, 2022

This pull request introduces 2 alerts and fixes 5 when merging 409c027 into 1effff9 - view on LGTM.com

new alerts:

  • 2 for Unused import

fixed alerts:

  • 5 for Unused import

@maipbui maipbui requested a review from qiluo-msft September 19, 2022 14:21
@@ -66,7 +64,7 @@ class BCMUtil(bcmshell):

def get_platform(self):
if self.platform is None:
self.platform = os.popen("uname -n").read().strip()
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.strip()

Do you want to keep .strip()? It also applies to blank char. #Closed

cmd = "i2cdetect -y "+str(FAN_VPD_CHANNEL)+" "+str(addr)+" "+str(addr)+" | grep "+str(hex(addr)).replace('0x','')
result=os.system(cmd)
cmd1 = ["i2cdetect", "-y", str(FAN_VPD_CHANNEL), str(addr), str(addr)]
cmd2 = ["grep", str(hex(addr)).replace('0x','')]
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replace

better way: https://stackoverflow.com/a/16414603/2514803 #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, thanks!

Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Oct 5, 2022

This pull request introduces 2 alerts and fixes 5 when merging 799902a into 1f0699f - view on LGTM.com

new alerts:

  • 2 for Unused import

fixed alerts:

  • 5 for Unused import

@maipbui
Copy link
Contributor Author

maipbui commented Oct 7, 2022

@klhaung @david-xk @CynthiaINV Could you help review and verify?

@maipbui maipbui marked this pull request as ready for review October 14, 2022 14:20
@maipbui maipbui requested a review from lguohan as a code owner October 14, 2022 14:20
@maipbui maipbui merged commit 92d25be into sonic-net:master Oct 14, 2022
@maipbui maipbui deleted the inventec_sec branch October 14, 2022 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants