New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid need to quote arguments for commands running without a shell (#5578) #5583
Avoid need to quote arguments for commands running without a shell (#5578) #5583
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @jkuebart
Thanks very much for your pull request.
I think that it might be doing some things besides what the title says: "specify commands as sequences", in this case, the changes to the environment, that might not be necessary. Are they really necessary for being able to pass the command as a sequence?
Please have a look to the comments, specially regarding possible breaking behaviors. While we try to have good test coverage, there might always be cases that are not, so please consider those comments.
Also, have a look to the broken tests in https://conan-ci.jfrog.info/blue/organizations/jenkins/ConanTestSuite/detail/PR-5583/1/pipeline, try running them locally, I have had a look at CI, but not evident for me what has changed. Thanks!
Hi James, thank you for your comments and taking the time to look at this.
You are right, previously Conan modified its own process environment before executing children and restored it later. I changed it such that the desired environment is instead passed to I originally made this change because when passing the command as a sequence it's not possible to simply add a variable as was done by the code in the case of In the long run, I believe that specifying the environment on execution instead of modifying the own process environment is slightly nicer, but that can be discussed separately.
I'm looking at the CI now, some environment variables seem to get expanded when previously they didn't – I haven't understood what caused this yet… |
@memsharded Hi James, I made the changes you suggested and the builds are now passing :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks very much for taking into account the review.
I'd like to know better about the shell features, please check comments.
@memsharded Hi James, have you had a chance to have another look at this patch? |
@uilianries updated – would love to hear your comments. |
I think it's really a shame that a security-critical PR like this remains ignored. Requested changes were applied, re-review requested, all tests are passing and for all intents and purposes the change is both backwards compatible and in line with the functionality of the underlying Python library. As mentioned in the initial comment, this solves security-critical problems that come up all the time in a clean manner which could be used immediately by new and existing projects. Still, there is no feedback on this for six months without any way to know what is holding up progress. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to move forward this PR.
Maybe we can even consider for the CONAN_V2_MODE to run these commands with shell=False
@jgsogo that's great, thanks for taking this up! I've merged to
I think being able to run in a shell can be a useful feature – it makes it easy to reuse some features that are easy to do in a shell. Whether it should be provided implicitly (by passing strings vs arrays) or explicitly is of course debatable. |
I've created a PR adding a test here https://github.com/jkuebart/conan/pull/1 Please, @memsharded , let me know if we need any other test besides that one, and please @jkuebart merge that PR if you see it is correct (if not, tomorrow we will add it to your branch because we want to finish the release asap). Thanks! |
Hi @jsgogo, thank you for getting this merged so quickly in the end. I've just verified the test you added by removing the section in
Normally the test passes, proving that it works and in fact tests what it's supposed to test. |
yeah, good job! Sorry @jkuebart that this took so long to process, sometimes issues and contributions get buried in the backlog, the activity is so high that is inevitable that some things fall through the cracks. Thanks for bringing attention to this again. |
Changelog: Feature: Pass command to Runner as a sequence instead of string.
Docs: conan-io/docs#1385
Closes #5578
ConanFile
'srun()
method only support commands passed as strings. This forces users to correctly quote all arguments diligently, which is not only a frequent source of bugs but also leaves naïve but innocent-looking recipes wide open to code-injection bugs of the form; rm -rf ~;
.The underlying Python call
subprocess.Popen()
already supports this, andos.system()
can be replaced bysubprocess.run()
which does this as well.This PR seamlessly supports commands as both strings and sequences and is fully backwards-compatible. It provides a huge improvement to Conan's usability and security.
develop
branch, documenting this one.Note: By default this PR will skip the slower tests and will use a limited set of python versions. Check here how to increase the testing level by writing some tags in the current PR body text.