-
Notifications
You must be signed in to change notification settings - Fork 664
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[utilities_common] replace shell=True #2718
Conversation
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
config/main.py
Outdated
clicommon.run_command('hostname -F /etc/hostname', display_cmd=True) | ||
clicommon.run_command(r'sed -i "/\s{}$/d" /etc/hosts'.format(current_hostname), display_cmd=True) | ||
clicommon.run_command('echo "127.0.0.1 {}" >> /etc/hosts'.format(hostname), display_cmd=True) | ||
with open('etc/hostname', 'w') as f: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config/main.py
Outdated
f.write(str(hostname) + '\n') | ||
clicommon.run_command(['hostname', '-F', '/etc/hostname'], display_cmd=True) | ||
clicommon.run_command(['sed', '-i', "/\s{}$/d".format(current_hostname), '/etc/hosts'], display_cmd=True) | ||
with open('etc/hosts', 'a') as f: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
@@ -1305,9 +1303,9 @@ def load(filename, yes): | |||
return | |||
|
|||
if namespace is None: | |||
command = "{} -j {} --write-to-db".format(SONIC_CFGGEN_PATH, file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config/main.py
Outdated
# Ignore error for IPv6 configuration command due to it not allows config the same IP twice | ||
clicommon.run_command(command, display_cmd=True, ignore_error=True) | ||
command = "ip{} route add default via {} dev eth0 table default".format(" -6" if mgmt_conf.version == 6 else "", gw_addr) | ||
command = ['ip{}'.format(" -6" if mgmt_conf.version == 6 else ""), 'route', 'add', 'default', 'via', str(gw_addr), 'dev', 'eth0', 'table', 'default'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config/main.py
Outdated
clicommon.run_command(command, display_cmd=True, ignore_error=True) | ||
command = "ip{} rule add from {} table default".format(" -6" if mgmt_conf.version == 6 else "", str(mgmt_conf.ip)) | ||
command = ['ip{}'.format(" -6" if mgmt_conf.version == 6 else ""), 'rule', 'add', 'from', str(mgmt_conf.ip), 'table', 'default'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config/main.py
Outdated
clicommon.run_command(command, display_cmd=True, ignore_error=True) | ||
pid_cmd = ['cat', '/var/run/dhclient.eth0.pid'] | ||
_, pid = getstatusoutput_noshell(pid_cmd) | ||
cmd0 = ['[', '-f', '/var/run/dhclient.eth0.pid', ']'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
show/platform.py
Outdated
cmd = "sudo ssdutil -d " + device | ||
options = " -v" if verbose else "" | ||
options += " -e" if vendor else "" | ||
cmd = ['sudo', 'ssdutil', '-d', device] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
config/main.py
Outdated
|
||
|
||
def _get_sonic_services(): | ||
out, _ = clicommon.run_command("systemctl list-dependencies --plain sonic.target | sed '1d'", return_cmd=True) | ||
cmd = "systemctl list-dependencies --plain sonic.target | sed '1d'" | ||
out, _ = clicommon.run_command(cmd, return_cmd=True, shell=True) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Update sonic-utilities submodule pointer to include the following: * 5c9b2177 Fix issue: out of range sflow polling interval is accepted and stored in config_db ([sonic-net#2847](sonic-net/sonic-utilities#2847)) * 72ca4848 Add CLI configuration options for teamd retry count feature ([sonic-net#2642](sonic-net/sonic-utilities#2642)) * 359dfc0c [Clock] Implement clock CLI ([sonic-net#2793](sonic-net/sonic-utilities#2793)) * b316fc27 Add transceiver status CLI to show output from TRANSCEIVER_STATUS table ([sonic-net#2772](sonic-net/sonic-utilities#2772)) * dc59dbd2 Replace pickle by json ([sonic-net#2849](sonic-net/sonic-utilities#2849)) * a66f41c4 [show] replace shell=True, replace xml by lxml, replace exit by sys.exit ([sonic-net#2666](sonic-net/sonic-utilities#2666)) * 57500572 [utilities_common] replace shell=True ([sonic-net#2718](sonic-net/sonic-utilities#2718)) * 6e0ee3e7 [CRM][DASH] Extend CRM utility to support DASH resources. ([sonic-net#2800](sonic-net/sonic-utilities#2800)) * b2c29b0b [config] Generate sysinfo in single asic ([sonic-net#2856](sonic-net/sonic-utilities#2856)) Signed-off-by: dprital <[email protected]>
…nic-utilities submodule on master (#15193) Dependency: sonic-net/sonic-utilities#2718 Why I did it This PR sonic-net/sonic-utilities#2718 reduce shell=True usage in utilities_common.cli.run_command() function. Work item tracking Microsoft ADO (number only): 15022050 How I did it Replace strings commands using utilities_common.cli.run_command() function to list of strings due to circular dependency, advance sonic-utilities submodule 72ca4848 (HEAD -> master, upstream/master, upstream/HEAD) Add CLI configuration options for teamd retry count feature (sonic-net/sonic-utilities#2642) 359dfc0c [Clock] Implement clock CLI (sonic-net/sonic-utilities#2793) b316fc27 Add transceiver status CLI to show output from TRANSCEIVER_STATUS table (sonic-net/sonic-utilities#2772) dc59dbd2 Replace pickle by json (sonic-net/sonic-utilities#2849) a66f41c4 [show] replace shell=True, replace xml by lxml, replace exit by sys.exit (sonic-net/sonic-utilities#2666) 57500572 [utilities_common] replace shell=True (sonic-net/sonic-utilities#2718) 6e0ee3e7 [CRM][DASH] Extend CRM utility to support DASH resources. (sonic-net/sonic-utilities#2800) b2c29b0b [config] Generate sysinfo in single asic (sonic-net/sonic-utilities#2856)
#### What I did `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection. #### How I did it remove shell=True in utilities_common.cli.run_command() function. `subprocess()` - use `shell=False` instead, use list of strings Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation) #### How to verify it Pass UT Manual test Signed-off-by: Mai Bui <[email protected]>
Resolves sonic-net/sonic-buildimage#16542 #### What I did Update str -> list[str] commands which were missed in #2718 #### How I did it #### How to verify it Pass UT. Manual test, issue resolved, tested in internal.79435802-3bbd91c86e version Signed-off-by: Mai Bui <[email protected]>
Resolves sonic-net/sonic-buildimage#16542 Update str -> list[str] commands which were missed in sonic-net#2718 Pass UT. Manual test, issue resolved, tested in internal.79435802-3bbd91c86e version Signed-off-by: Mai Bui <[email protected]>
Why I did Use static str to run_command would encounter error because change in this PR: #2718. How I did it Change command from static str to list. How to verify it UT passed. Build whl and install in testbed. Signed-off-by: Yaqiang Zhu <[email protected]>
…nic-utilities submodule on master (sonic-net#15193) Dependency: sonic-net/sonic-utilities#2718 Why I did it This PR sonic-net/sonic-utilities#2718 reduce shell=True usage in utilities_common.cli.run_command() function. Work item tracking Microsoft ADO (number only): 15022050 How I did it Replace strings commands using utilities_common.cli.run_command() function to list of strings due to circular dependency, advance sonic-utilities submodule 72ca4848 (HEAD -> master, upstream/master, upstream/HEAD) Add CLI configuration options for teamd retry count feature (sonic-net/sonic-utilities#2642) 359dfc0c [Clock] Implement clock CLI (sonic-net/sonic-utilities#2793) b316fc27 Add transceiver status CLI to show output from TRANSCEIVER_STATUS table (sonic-net/sonic-utilities#2772) dc59dbd2 Replace pickle by json (sonic-net/sonic-utilities#2849) a66f41c4 [show] replace shell=True, replace xml by lxml, replace exit by sys.exit (sonic-net/sonic-utilities#2666) 57500572 [utilities_common] replace shell=True (sonic-net/sonic-utilities#2718) 6e0ee3e7 [CRM][DASH] Extend CRM utility to support DASH resources. (sonic-net/sonic-utilities#2800) b2c29b0b [config] Generate sysinfo in single asic (sonic-net/sonic-utilities#2856)
Why I did Use static str to run_command would encounter error because change in this PR: #2718. How I did it Change command from static str to list. How to verify it UT passed. Build whl and install in testbed. Signed-off-by: Yaqiang Zhu <[email protected]>
Resolves sonic-net/sonic-buildimage#16542 #### What I did Update str -> list[str] commands which were missed in sonic-net#2718 #### How I did it #### How to verify it Pass UT. Manual test, issue resolved, tested in internal.79435802-3bbd91c86e version Signed-off-by: Mai Bui <[email protected]>
Why I did Use static str to run_command would encounter error because change in this PR: sonic-net#2718. How I did it Change command from static str to list. How to verify it UT passed. Build whl and install in testbed. Signed-off-by: Yaqiang Zhu <[email protected]>
What I did
subprocess()
- when using withshell=True
is dangerous. Using subprocess function without a static string can lead to command injection.How I did it
remove shell=True in utilities_common.cli.run_command() function.
subprocess()
- useshell=False
instead, use list of strings Ref: https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigationHow to verify it
Pass UT
Manual test
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)