[show] replace shell=True, replace xml by lxml, replace exit by sys.exit #2666
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: maipbui <[email protected]>
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
| if route_map_name is not None: | ||
| cmd += ' {}'.format(route_map_name) | ||
| cmd += '"' | ||
| cmd += [str(route_map_name)] |
There was a problem hiding this comment.
Could you make sure this is tested?
There was a problem hiding this comment.
To simplify:
cmd[-1] += ' {}'.format(route_map_name)
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
| if prefix_list_name is not None: | ||
| cmd += ' {}'.format(prefix_list_name) | ||
| cmd += '"' | ||
| cmd += [str(prefix_list_name)] |
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
| if prefix_list_name is not None: | ||
| cmd += ' {}'.format(prefix_list_name) | ||
| cmd += '"' | ||
| cmd += [str(prefix_list_name)] |
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
|
|
||
| run_command(cmd, display_cmd=verbose) | ||
| if cmd1 is None and cmd2 is None: |
There was a problem hiding this comment.
You implemented a 2x2 conditions with 4 branches. This is not scalable if number of cmd increase. For example 10 cmd.
You can construct an array first, and feed the expanded array to function call. ref: https://stackoverflow.com/a/7745986/2514803 #Closed
There was a problem hiding this comment.
or cmdn could be defined as array elements from the beginning.
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
| cmd0 = ['sudo', 'docker', 'ps'] | ||
| cmd1 = ['grep', 'bgp'] | ||
| cmd2 = ['awk', '{print$2}'] | ||
| cmd3 = ['cut', '-d', '-', '-f3'] |
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
| cmd1 = ['grep', 'bgp'] | ||
| cmd2 = ['awk', '{print$2}'] | ||
| cmd3 = ['cut', '-d', '-', '-f3'] | ||
| cmd4 = ['cut', '-d', ':', "-f1"] |
qiluo-msft
reviewed
Feb 10, 2023
show/plugins/barefoot.py
Outdated
| r'-maxdepth 1 -type d -name install_\*_profile ' + opts + '| sed ' | ||
| r's%/opt/bfn/install_\\\(.\*\\\)_profile%\\1%', shell=True) | ||
| cmd0 = ['docker', 'exec', '-it', 'syncd', 'find', '/opt/bfn', '-mindepth', '1',\ | ||
| r'-maxdepth', '1', '-type', 'd', '-name', 'install_\*_profile', r'{}' % opts] |
There was a problem hiding this comment.
r'' is to bypass escaping special characters. Using opts directly will escape special characters.
There was a problem hiding this comment.
Could you be more specific?, r is applied to {} string only.
There was a problem hiding this comment.
for example, r'\n' will treated the string containing 2 characters: backslash \ and letter n. But '\n' will be treated as a newline character.
There was a problem hiding this comment.
fixed, raised another PR for barefoot https://github.com/sonic-net/sonic-utilities/pull/2699/files
qiluo-msft
reviewed
Feb 10, 2023
show/plugins/barefoot.py
Outdated
| @@ -4,6 +4,7 @@ | |||
| import json | |||
| import subprocess | |||
| from sonic_py_common import device_info | |||
| from sonic_py_common.general import getstatusoutput_noshell_pipe, check_output_pipe | |||
|
|
|||
| @click.group() | |||
| def barefoot(): | |||
This file need to reviewed by Mellanox. Suggest further split into a smaller PR. In reply to: 1426293827 In reply to: 1426293827 In reply to: 1426293827 In reply to: 1426293827 In reply to: 1426293827 Refers to: show/plugins/mlnx.py:22 in 4d96b6e. [](commit_id = 4d96b6e, deletion_comment = False) |
qiluo-msft
reviewed
Feb 10, 2023
show/main.py
Outdated
| @@ -130,6 +133,32 @@ def run_command(command, display_cmd=False, return_cmd=False): | |||
| if rc != 0: | |||
| sys.exit(rc) | |||
|
|
|||
| def run_command_pipe(*args, display_cmd=False, return_cmd=False): | |||
Use string array instead of string for In reply to: 1426311506 In reply to: 1426311506 Refers to: show/platform.py:111 in 4d96b6e. [](commit_id = 4d96b6e, deletion_comment = False) |
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
Signed-off-by: maipbui <[email protected]>
qiluo-msft
reviewed
Feb 28, 2023
show/plugins/barefoot.py
Outdated
| r'-maxdepth 1 -type d -name install_\*_profile ' + opts + '| sed ' | ||
| r's%/opt/bfn/install_\\\(.\*\\\)_profile%\\1%', shell=True) | ||
| cmd0 = ['docker', 'exec', '-it', 'syncd', 'find', '/opt/bfn', '-mindepth', '1',\ | ||
| r'-maxdepth', '1', '-type', 'd', '-name', 'install_\*_profile', r'{}' % opts] |
Signed-off-by: maipbui <[email protected]>
|
/azp run Azure.sonic-utilities |
|
Azure Pipelines successfully started running 1 pipeline(s). |
qiluo-msft
previously approved these changes
Mar 7, 2023
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
qiluo-msft
reviewed
May 25, 2023
show/main.py
Outdated
| @click.option('-f', '--follow', is_flag=True) | ||
| @click.option('--verbose', is_flag=True, help="Enable verbose output") | ||
| def logging(process, lines, follow, verbose): | ||
| """Show system log""" | ||
| if process and not re.match(r'^[a-zA-Z0-9\s]+$', process): | ||
| sys.exit('Process contains only number, alphabet, and whitespace.') |
There was a problem hiding this comment.
Offline discussed, this check is not accurate. Let's revert back, and please use another future PR to focus on this fix.
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
qiluo-msft
previously approved these changes
May 31, 2023
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
Signed-off-by: Mai Bui <[email protected]>
qiluo-msft
approved these changes
May 31, 2023
10 tasks
dprital
added a commit
to dprital/sonic-buildimage
that referenced
this pull request
Jun 5, 2023
Update sonic-utilities submodule pointer to include the following: * 5c9b2177 Fix issue: out of range sflow polling interval is accepted and stored in config_db ([sonic-net#2847](sonic-net/sonic-utilities#2847)) * 72ca4848 Add CLI configuration options for teamd retry count feature ([sonic-net#2642](sonic-net/sonic-utilities#2642)) * 359dfc0c [Clock] Implement clock CLI ([sonic-net#2793](sonic-net/sonic-utilities#2793)) * b316fc27 Add transceiver status CLI to show output from TRANSCEIVER_STATUS table ([sonic-net#2772](sonic-net/sonic-utilities#2772)) * dc59dbd2 Replace pickle by json ([sonic-net#2849](sonic-net/sonic-utilities#2849)) * a66f41c4 [show] replace shell=True, replace xml by lxml, replace exit by sys.exit ([sonic-net#2666](sonic-net/sonic-utilities#2666)) * 57500572 [utilities_common] replace shell=True ([sonic-net#2718](sonic-net/sonic-utilities#2718)) * 6e0ee3e7 [CRM][DASH] Extend CRM utility to support DASH resources. ([sonic-net#2800](sonic-net/sonic-utilities#2800)) * b2c29b0b [config] Generate sysinfo in single asic ([sonic-net#2856](sonic-net/sonic-utilities#2856)) Signed-off-by: dprital <[email protected]>
10 tasks
StormLiangMS
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Jun 5, 2023
…nic-utilities submodule on master (#15193) Dependency: sonic-net/sonic-utilities#2718 Why I did it This PR sonic-net/sonic-utilities#2718 reduce shell=True usage in utilities_common.cli.run_command() function. Work item tracking Microsoft ADO (number only): 15022050 How I did it Replace strings commands using utilities_common.cli.run_command() function to list of strings due to circular dependency, advance sonic-utilities submodule 72ca4848 (HEAD -> master, upstream/master, upstream/HEAD) Add CLI configuration options for teamd retry count feature (sonic-net/sonic-utilities#2642) 359dfc0c [Clock] Implement clock CLI (sonic-net/sonic-utilities#2793) b316fc27 Add transceiver status CLI to show output from TRANSCEIVER_STATUS table (sonic-net/sonic-utilities#2772) dc59dbd2 Replace pickle by json (sonic-net/sonic-utilities#2849) a66f41c4 [show] replace shell=True, replace xml by lxml, replace exit by sys.exit (sonic-net/sonic-utilities#2666) 57500572 [utilities_common] replace shell=True (sonic-net/sonic-utilities#2718) 6e0ee3e7 [CRM][DASH] Extend CRM utility to support DASH resources. (sonic-net/sonic-utilities#2800) b2c29b0b [config] Generate sysinfo in single asic (sonic-net/sonic-utilities#2856)
pdhruv-marvell
pushed a commit
to pdhruv-marvell/sonic-utilities
that referenced
this pull request
Aug 23, 2023
…xit (sonic-net#2666) #### What I did `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection. `sys.exit` is better than `exit`, considered good to use in production code. Ref: https://stackoverflow.com/questions/6501121/difference-between-exit-and-sys-exit-in-python https://stackoverflow.com/questions/19747371/python-exit-commands-why-so-many-and-when-should-each-be-used #### How I did it `subprocess()` - use `shell=False` instead, use list of strings Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation) Replace `exit()` by `sys.exit()` #### How to verify it Pass UT Manual test Signed-off-by: Mai Bui <[email protected]>
sonic-otn
pushed a commit
to sonic-otn/sonic-buildimage
that referenced
this pull request
Sep 20, 2023
…nic-utilities submodule on master (sonic-net#15193) Dependency: sonic-net/sonic-utilities#2718 Why I did it This PR sonic-net/sonic-utilities#2718 reduce shell=True usage in utilities_common.cli.run_command() function. Work item tracking Microsoft ADO (number only): 15022050 How I did it Replace strings commands using utilities_common.cli.run_command() function to list of strings due to circular dependency, advance sonic-utilities submodule 72ca4848 (HEAD -> master, upstream/master, upstream/HEAD) Add CLI configuration options for teamd retry count feature (sonic-net/sonic-utilities#2642) 359dfc0c [Clock] Implement clock CLI (sonic-net/sonic-utilities#2793) b316fc27 Add transceiver status CLI to show output from TRANSCEIVER_STATUS table (sonic-net/sonic-utilities#2772) dc59dbd2 Replace pickle by json (sonic-net/sonic-utilities#2849) a66f41c4 [show] replace shell=True, replace xml by lxml, replace exit by sys.exit (sonic-net/sonic-utilities#2666) 57500572 [utilities_common] replace shell=True (sonic-net/sonic-utilities#2718) 6e0ee3e7 [CRM][DASH] Extend CRM utility to support DASH resources. (sonic-net/sonic-utilities#2800) b2c29b0b [config] Generate sysinfo in single asic (sonic-net/sonic-utilities#2856)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: maipbui [email protected]
What I did
subprocess()- when using withshell=Trueis dangerous. Using subprocess function without a static string can lead to command injection.sys.exitis better thanexit, considered good to use in production code.Ref:
https://stackoverflow.com/questions/6501121/difference-between-exit-and-sys-exit-in-python
https://stackoverflow.com/questions/19747371/python-exit-commands-why-so-many-and-when-should-each-be-used
How I did it
subprocess()- useshell=Falseinstead, use list of strings Ref: https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigationReplace
exit()bysys.exit()How to verify it
Pass UT
Manual test
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)