cobbler icon indicating copy to clipboard operation
cobbler copied to clipboard

Published 20 hours ago verified publisher icon cobbler

Check subprocess.call for shell options

Open SchoolGuy opened this issue 3 years ago • 4 comments

Currently in many places we use subprocess.call with shell=True which may not be needed. Thus we need to check all occurrences and change those that need change.

SchoolGuy avatar Dec 15 '21 15:12 SchoolGuy

file: cobbler/scripts/migrate-data-v2-to-v3.py the line:

for old_path, new_path in path_rename:
    if os.path.isdir(old_path):
        subprocess.run(["cp", "-al", "%s/*" % old_path, "%s/" % new_path], shell=True)

if you run it , it will raise error same as the demo:

subprocess.run(["/usr/bin/cp", "-r", '/var/lib/cobbler/grub_config/*', "%s/" % '/root/test/'], shell=True)
/usr/bin/cp: missing file operand
Try '/usr/bin/cp --help' for more information.
CompletedProcess(args=['/usr/bin/cp', '-r', '/var/lib/cobbler/grub_config/*', '/root/test//'], returncode=1)

a fix test with python3 as follow:

>>> os.system("ls /var/lib/cobbler/grub_config")
grub  grub.cfg	README.grubconfig
0
>>> subprocess.run(["/usr/bin/cp", "-r", '/var/lib/cobbler/grub_config/*', "%s/" % '/root/test/'])
/usr/bin/cp: cannot stat ‘/var/lib/cobbler/grub_config/*’: No such file or directory
CompletedProcess(args=['/usr/bin/cp', '-r', '/var/lib/cobbler/grub_config/*', '/root/test//'], returncode=1)
>>> subprocess.run(["/usr/bin/cp", "-r", '/var/lib/cobbler/grub_config/', "%s/" % '/root/test/'])
CompletedProcess(args=['/usr/bin/cp', '-r', '/var/lib/cobbler/grub_config/', '/root/test//'], returncode=0)

so for your issue title, you can remove shell=True . At the same time, and do not pass list into subprocess.run, you can pass shell string if you set shell=True, then fix cobbler/scripts/migrate-data-v2-to-v3.py error

parkour99 avatar Dec 16 '21 12:12 parkour99

@parkour99 Thanks for the contribution. I will have a look at it. However this is also meant for the rest of the codebase where we use this. For example in cobbler buildiso we do use that param as well (encapsulated through our utils module) and thus we need to check those usages as well.

SchoolGuy avatar Dec 17 '21 09:12 SchoolGuy

For fixing this we need to understand the implications this has. They are documented at the following locations:

  • https://docs.python.org/3.6/library/subprocess.html#frequently-used-arguments
  • https://docs.python.org/3.6/library/subprocess.html#security-considerations

SchoolGuy avatar Feb 03 '22 07:02 SchoolGuy

An easy overview for this can be found at: Codacy. The filter I set in the UI (via the link) will show all usages we have at the moment.

SchoolGuy avatar Jul 26 '22 13:07 SchoolGuy