Skip to content

[show] replace shell=True, replace xml by lxml, replace exit by sys.exit#2666

Merged
maipbui merged 15 commits intosonic-net:masterfrom
maipbui:show_pysec
May 31, 2023
Merged

[show] replace shell=True, replace xml by lxml, replace exit by sys.exit#2666
maipbui merged 15 commits intosonic-net:masterfrom
maipbui:show_pysec

Conversation

@maipbui
Copy link
Copy Markdown
Contributor

@maipbui maipbui commented Feb 9, 2023
edited
Loading

Signed-off-by: maipbui [email protected]

What I did

subprocess() - when using with shell=True is dangerous. Using subprocess function without a static string can lead to command injection.
sys.exit is better than exit, considered good to use in production code.
Ref:
https://stackoverflow.com/questions/6501121/difference-between-exit-and-sys-exit-in-python
https://stackoverflow.com/questions/19747371/python-exit-commands-why-so-many-and-when-should-each-be-used

How I did it

subprocess() - use shell=False instead, use list of strings Ref: https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation
Replace exit() by sys.exit()

How to verify it

Pass UT
Manual test

Previous command output (if the output of a command-line utility has changed)

New command output (if the output of a command-line utility has changed)

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

Assignees

No one assigned

Labels

static-code-analysis

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maipbui @qiluo-msft