findcdn icon indicating copy to clipboard operation
findcdn copied to clipboard
verified publisher icon cisagov

Use of exec() in setup.py

Open Pascal-0x90 opened this issue 5 years ago • 1 comments

Proposal

The use of exec can be dangerous potentially allowing execution of python code on a system.

Motivation

The codebase should more strictly follow Python convention to hopefully improve maintainability.

Details

Since this is the setup.py script, it may not need to be addressed as we assume this is something that will be deployed by the user and does not pose an immediate risk to the operation of the tool. This could/should be mitigated at some point to not use exec. The specific code is mentioned below: https://github.com/cisagov/findcdn/blob/46073ffbe9bffcdd3f76173356afeae22521eabe/setup.py#L29

Pascal-0x90 avatar Aug 12 '20 14:08 Pascal-0x90

This is inherited from cisagov/skeleton-python-library, so I would kick the issue up the chain.

mcdonnnj avatar Aug 17 '20 14:08 mcdonnnj

https://github.com/cisagov/skeleton-python-library/blob/develop/setup.py has indeed updated and removed this truly bizarre way to read a version string

S4lt5 avatar Oct 27 '22 13:10 S4lt5

Closing since this has been fixed!

Pascal-0x90 avatar Nov 23 '22 20:11 Pascal-0x90