Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[device/delta] Mitigation for command injection vulnerability #11865

Merged
merged 9 commits into from
Oct 14, 2022
Merged

[device/delta] Mitigation for command injection vulnerability #11865

merged 9 commits into from
Oct 14, 2022

Conversation

maipbui
Copy link
Contributor

@maipbui maipbui commented Aug 29, 2022
edited
Loading

Why I did it

os execution functions are not secure against maliciously constructed input.

How I did it

Use subprocess module

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

maipbui added 2 commits August 29, 2022 02:26
@maipbui
Remove os.popen, use subprocess.Popen
8b83c11 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Fix arguments
f686fb6 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 29, 2022

This pull request introduces 15 alerts and fixes 3 when merging f686fb6 into 178a30b - view on LGTM.com

new alerts:

  • 9 for Wrong name for an argument in a class instantiation
  • 6 for Unused import

fixed alerts:

  • 3 for Unused import

@maipbui
Fix lgtm
1e0a2be 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 29, 2022

This pull request fixes 3 alerts when merging 1e0a2be into 35945c9 - view on LGTM.com

fixed alerts:

  • 3 for Unused import

@maipbui maipbui requested a review from qiluo-msft August 29, 2022 14:20
maipbui added 2 commits August 30, 2022 20:00
@maipbui
Convert command strings to command array
ec4a5b2 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Add comma
8fc3cae 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 30, 2022

This pull request introduces 1 alert and fixes 3 when merging 8fc3cae into 092e039 - view on LGTM.com

new alerts:

  • 1 for Syntax error

fixed alerts:

  • 3 for Unused import

@maipbui
Fix lgtm
264a5c5 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 30, 2022

This pull request fixes 3 alerts when merging 264a5c5 into 092e039 - view on LGTM.com

fixed alerts:

  • 3 for Unused import

@maipbui
Change str to hex and remove subprocess for readfile
13c7ed0 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 31, 2022

This pull request fixes 2 alerts when merging 13c7ed0 into 092e039 - view on LGTM.com

fixed alerts:

  • 2 for Unused import

@maipbui maipbui requested a review from qiluo-msft August 31, 2022 04:26
@maipbui
Change += to =
fdd43b3 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 31, 2022

This pull request fixes 2 alerts when merging fdd43b3 into c601f24 - view on LGTM.com

fixed alerts:

  • 2 for Unused import

@maipbui maipbui marked this pull request as ready for review September 2, 2022 13:34
@qiluo-msft
Copy link
Collaborator

@hanstseng @zoe-kuan Could you help review and verify?

@maipbui maipbui added Request for 202111 Branch For PRs being requested for 202111 branch Request for 202205 Branch labels Sep 20, 2022
@maipbui
Fix bug
245e66d 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Oct 5, 2022

This pull request fixes 2 alerts when merging 245e66d into 1f0699f - view on LGTM.com

fixed alerts:

  • 2 for Unused import

@qiluo-msft qiluo-msft merged commit ea101a9 into sonic-net:master Oct 14, 2022
@maipbui maipbui deleted the delta_security branch October 14, 2022 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

Assignees
No one assigned
Labels
Static Code Analysis
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maipbui @qiluo-msft