-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[inventec] Replace os.system and remove subprocess with shell=True #12108
Conversation
Signed-off-by: maipbui <maibui@microsoft.com>
This pull request introduces 2 alerts and fixes 5 when merging 409c027 into 1effff9 - view on LGTM.com new alerts:
fixed alerts:
|
@@ -66,7 +64,7 @@ class BCMUtil(bcmshell): | |||
|
|||
def get_platform(self): | |||
if self.platform is None: | |||
self.platform = os.popen("uname -n").read().strip() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd = "i2cdetect -y "+str(FAN_VPD_CHANNEL)+" "+str(addr)+" "+str(addr)+" | grep "+str(hex(addr)).replace('0x','') | ||
result=os.system(cmd) | ||
cmd1 = ["i2cdetect", "-y", str(FAN_VPD_CHANNEL), str(addr), str(addr)] | ||
cmd2 = ["grep", str(hex(addr)).replace('0x','')] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better way: https://stackoverflow.com/a/16414603/2514803 #Closed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks!
Signed-off-by: maipbui <maibui@microsoft.com>
This pull request introduces 2 alerts and fixes 5 when merging 799902a into 1f0699f - view on LGTM.com new alerts:
fixed alerts:
|
@klhaung @david-xk @CynthiaINV Could you help review and verify? |
Signed-off-by: maipbui maibui@microsoft.com
Dependency: #12065
Why I did it
getstatusoutput
is used without a static string and it usesshell=True
subprocess()
- when using withshell=True
is dangerous. Using subprocess function without a static string can lead to command injection.os
- not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.How I did it
getstatusoutput
without shell=Truesubprocess()
- useshell=False
instead. use an array string. Ref: https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigationos
- use withsubprocess
How to verify it
Which release branch to backport (provide reason below if selected)
Description for the changelog
Ensure to add label/tag for the feature raised. example - PR#2174 where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)