[device/celestica] Mitigation for command injection vulnerability

[maipbui]

Signed-off-by: maipbui maibui@microsoft.com

Dependency: PR (#12065) needs to merge first.

Why I did it

1. eval() - not secure against maliciously constructed input, can be dangerous if used to evaluate dynamic content. This may be a code injection vulnerability.
2. subprocess() - when using with shell=True is dangerous. Using subprocess function without a static string can lead to command injection.
3. os - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
4. is operator - string comparison should not be used with reference equality.
5. globals() - extremely dangerous because it may allow an attacker to execute arbitrary code on the system

How I did it

1. eval() - use literal_eval()
2. subprocess() - use shell=False instead. use an array string. Ref: https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation
3. os - use with subprocess
4. is - replace by == operator for value equality
5. globals() - avoid the use of globals()

How to verify it

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[lgtm-com]

This pull request introduces 1 alert and fixes 6 when merging c24eec3 into a66941a - view on LGTM.com

new alerts:

• 1 for Syntax error

fixed alerts:

• 3 for Variable defined multiple times
• 2 for Unused import
• 1 for Wrong name for an argument in a class instantiation

[qiluo-msft]

def get_output(self, index, config, default):

Seems this function is not used. Please remove.
@mudsut4ke Could you help review?

---

Refers to: device/celestica/x86_64-cel_e1031-r0/sonic_platform/common.py:226 in ca56944. [](commit_id = ca56944, deletion_comment = False)

[qiluo-msft]

def set_output(self, index, input, config):

Seems this function is not used. Please remove.
@mudsut4ke Could you help review?

---

Refers to: device/celestica/x86_64-cel_e1031-r0/sonic_platform/common.py:281 in ca56944. [](commit_id = ca56944, deletion_comment = False)

[lgtm-com]

This pull request introduces 7 alerts and fixes 6 when merging dada9ae into fdd9130 - view on LGTM.com

new alerts:

• 3 for Unused local variable
• 2 for Unused import
• 1 for Unreachable code
• 1 for Wrong number of arguments in a call

fixed alerts:

• 5 for Except block handles 'BaseException'
• 1 for Unused import

[lgtm-com]

This pull request introduces 5 alerts and fixes 6 when merging 91781fe into fdd9130 - view on LGTM.com

new alerts:

• 4 for Unused local variable
• 1 for Wrong number of arguments in a call

fixed alerts:

• 5 for Except block handles 'BaseException'
• 1 for Unused import

[lgtm-com]

This pull request introduces 1 alert and fixes 6 when merging 6647f81 into fdd9130 - view on LGTM.com

new alerts:

• 1 for Wrong number of arguments in a call

fixed alerts:

• 5 for Except block handles 'BaseException'
• 1 for Unused import

[lgtm-com]

This pull request introduces 1 alert and fixes 12 when merging a7b8055 into 1b5d07f - view on LGTM.com

new alerts:

• 1 for Wrong number of arguments in a call

fixed alerts:

• 6 for Except block handles 'BaseException'
• 6 for Unused import

[lgtm-com]

This pull request introduces 1 alert and fixes 13 when merging 65b4300 into fd6a1b0 - view on LGTM.com

new alerts:

• 1 for Wrong number of arguments in a call

fixed alerts:

• 8 for Unused import
• 5 for Except block handles 'BaseException'

[lgtm-com]

This pull request introduces 1 alert and fixes 13 when merging 0ce54ef into fd6a1b0 - view on LGTM.com

new alerts:

• 1 for Wrong number of arguments in a call

fixed alerts:

• 8 for Unused import
• 5 for Except block handles 'BaseException'

[lgtm-com]

This pull request fixes 13 alerts when merging a971633 into 1f0699f - view on LGTM.com

fixed alerts:

• 8 for Unused import
• 5 for Except block handles 'BaseException'

[lgtm-com]

This pull request fixes 13 alerts when merging 92147d7 into 1073a47 - view on LGTM.com

fixed alerts:

• 8 for Unused import
• 5 for Except block handles 'BaseException'

[maipbui]

/azp run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[qiluo-msft]

@Blueve is connecting with Celestica reviewers.

[Blueve]

Celestica team acked to review, ETA: By Dec 11

[qnos]

If use subprocess.call, need to suppress stdout/stderr and handle docker command not found exception.
The following example codes work in both host and docker mode.

def is_host():
    try:
        subprocess.call(HOST_CHK_CMD, stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL)
    except FileNotFoundError:
        return False
    return True

[maipbui]

I think os.system is equivalent with subprocess.call without specifying stdout and stderr to DEVNULL. Ref: https://docs.python.org/3/library/subprocess.html#replacing-os-system

[maipbui]

I got what you meant, I will change per your suggestion

[qnos]

I think os.system is equivalent with subprocess.call without specifying stdout and stderr to DEVNULL. Ref: https://docs.python.org/3/library/subprocess.html#replacing-os-system

Yes, no essential differences between the two functions, but HOST_CHK_CMD had been changed from "docker > /dev/null 2>&1" to ["docker"], so there is no way to suppress the 'docker' command output any more in host mode. And handling the FileNotFoundError exception is also necessary for docker mode.

[maipbui]

Fixed. Could you review and approve? Thank you!

[qnos]

Please consider changing the is_host function implementation as suggested above.

[qnos]

Please consider changing the is_host function implementation as suggested above.

[qnos]

Please consider changing the is_host function implementation as suggested above.

[qnos]

Please consider changing the is_host function implementation as suggested above.

[qnos]

Except the is_host() function implementation, agree with all other changes.

[lgtm-com]

This pull request fixes 13 alerts when merging 34991a5 into d993444 - view on LGTM.com

fixed alerts:

• 8 for Unused import
• 5 for Except block handles 'BaseException'

---

Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog.