py2lcov and xml2lcov: Fix command injection from `subprocess.run(…

…[..], shell=True, [..])` (fixes #350) (#356) * xml2lcovutil.py: Extract variable lcov Signed-off-by: Sebastian Pipping <[email protected]> * xml2lcov: Stop allowing command injection via xml2lcovutil.py Signed-off-by: Sebastian Pipping <[email protected]> * py2lcov: Stop allowing command injection Signed-off-by: Sebastian Pipping <[email protected]> --------- Signed-off-by: Sebastian Pipping <[email protected]>
linux-test-project · Dec 18, 2024 · 716f14f · 716f14f
1 parent cea2ab8
commit 716f14f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/bin/py2lcov b/bin/py2lcov
@@ -191,10 +191,12 @@ Example:
         while os.path.exists(xml):
             xml = base + '.xml%d' % suffix
             suffix += 1
-        cmd = "COVERAGE_FILE='%s' '%s' xml -o '%s'" % (f, args.cover_cmd, xml)
+        env = os.environ.copy()
+        env["COVERAGE_FILE"] = f
+        cmd = [args.cover_cmd, "xml", "-o", xml]
         try:
-            #x = subprocess.run(cmd, capture_output=True, shell=True, check=True)
-            x = subprocess.run(cmd, shell=True, check=True, stdout=True, stderr=True)
+            #x = subprocess.run(cmd, capture_output=True, shell=False, check=True, env=env)
+            x = subprocess.run(cmd, shell=False, check=True, stdout=True, stderr=True, env=env)
         except subprocess.CalledProcessError as err:
             print("Error:  error during XML conversion of %s: %s" % (
                 f, str(err)));

diff --git a/bin/xml2lcovutil.py b/bin/xml2lcovutil.py
@@ -121,14 +121,19 @@ def close(self):
         self._outf.close()
 
         if self._args.version and None == self._versionScript:
-            cmd = "'%(lcov)s' -a '%(info)s' -o '%(info)s' --version-script '%(vers)s' %(checksum)s--rc compute_file_version=1 --branch-coverage --ignore inconsistent" % {
-                'lcov': os.path.join(os.path.split(sys.argv[0])[0], 'lcov'),
-                'checksum': "--checksum " if self._args.checksum else '',
-                'info': self._args.output,
-                'vers' : self._args.version,
-            }
+            lcov = os.path.join(os.path.split(sys.argv[0])[0], 'lcov')
+            cmd = [
+                lcov,
+                "-a", self._args.output,
+                "-o", self._args.output,
+                "--version-script", self._args.version,
+                *(["--checksum"] if self._args.checksum else []),
+                "--rc", "compute_file_version=1",
+                "--branch-coverage",
+                "--ignore", "inconsistent",
+            ]
             try:
-                x = subprocess.run(cmd, shell=True, check=True, stdout=True, stderr=True)
+                x = subprocess.run(cmd, shell=False, check=True, stdout=True, stderr=True)
             except subprocess.CalledProcessError as err:
                 print("Error during lcov version append operation: %s" % (
                     str(err)))