Skip to content

Commit

Permalink
remove shell=True (#470)
Browse files Browse the repository at this point in the history
* remove shell=True
* constrain profile options
  • Loading branch information
AllyW authored Sep 12, 2024
1 parent 8b3c669 commit 09c0cb2
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 10 deletions.
4 changes: 4 additions & 0 deletions HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
Release History
===============
0.1.78
++++++
* Mitigate shell injection risk from user input.

0.1.77
++++++
* `azdev extension cal-next-version`: Fix pre_num when tagged preview version with `major`, `minor`, `patch`.
Expand Down
2 changes: 2 additions & 0 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ Microsoft Azure CLI Dev Tools (azdev)

The ``azdev`` tool is designed to aid new and experienced developers in contributing to Azure CLI command modules and extensions.

Notes: `azdev` command line tool is only designed for internal use and running on a local machine. It should never be used to take input from untrusted/outside sources or used behind another application.

Setting up your development environment
+++++++++++++++++++++++++++++++++++++++

Expand Down
2 changes: 1 addition & 1 deletion azdev/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@
# license information.
# -----------------------------------------------------------------------------

__VERSION__ = '0.1.77'
__VERSION__ = '0.1.78'
2 changes: 1 addition & 1 deletion azdev/params.py
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ def load_arguments(self, _):
help="Space-separated list of tests to run. Can specify module or extension names, test filenames, class name or individual method names. "
"Omit to check all or use 'CLI' or 'EXT' to check only CLI modules or extensions respectively.",
completer=get_test_completion)
c.argument('profile', options_list='--profile', help='Run automation against a specific profile. If omit, the tests will run against current profile.')
c.argument('profile', options_list='--profile', choices=['latest', '2017-03-09-profile', '2018-03-01-hybrid', '2019-03-01-hybrid', '2020-09-01-profile'], help='Run automation against a specific profile. If omit, the tests will run against current profile.')
c.argument('pytest_args', nargs=argparse.REMAINDER, options_list=['--pytest-args', '-a'], help='Denotes the remaining args will be passed to pytest.')
c.argument('last_failed', options_list='--lf', action='store_true', help='Re-run the last tests that failed.')
c.argument('no_exit_first', options_list='--no-exitfirst', action='store_true', help='Do not exit on first error or failed test')
Expand Down
29 changes: 21 additions & 8 deletions azdev/utilities/command.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import os
import subprocess
import sys
import shlex

from knack.log import get_logger
from knack.util import CommandResultItem
Expand All @@ -31,10 +32,16 @@ def call(command, **kwargs):
:param kwargs: Any kwargs supported by subprocess.Popen
:returns: (int) process exit code.
"""
return subprocess.call(
command,
shell=True,
**kwargs)
from azdev.utilities import IS_WINDOWS
cmd_args = command
if IS_WINDOWS and command.startswith('az '):
cmd_args = "az.bat " + command[3:]
if not IS_WINDOWS:
cmd_args = shlex.split(command)
return subprocess.run(
cmd_args,
check=False, # supress subprocess-run-check linter warning, no CalledProcessError
**kwargs).returncode


def cmd(command, message=False, show_stderr=True, raise_error=False, **kwargs):
Expand All @@ -57,12 +64,18 @@ def cmd(command, message=False, show_stderr=True, raise_error=False, **kwargs):
display(message)

logger.info("Running: %s", command)
cmd_args = command
if IS_WINDOWS and command.startswith('az '):
cmd_args = "az.bat " + command[3:]
if not IS_WINDOWS:
cmd_args = shlex.split(command)
try:
output = subprocess.check_output(
command.split(),
output = subprocess.run(
cmd_args,
check=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT if show_stderr else None,
shell=IS_WINDOWS,
**kwargs).decode('utf-8').strip()
**kwargs).stdout.decode('utf-8').strip()
logger.debug(output)
return CommandResultItem(output, exit_code=0, error=None)
except subprocess.CalledProcessError as err:
Expand Down

0 comments on commit 09c0cb2

Please sign in to comment.