Trying to secure calls to the shell

The main take away is to not put in user input. Need to write a big warning in it and if it happens then we need to sanitize it. See https://python.land/operating-system/python-subprocess

allowed_errors.json

@@ -12,12 +12,11 @@
     "WPS230": 1,
     "WPS212": 1,
     "WPS100": 1,
-    "S602": 1,
-    "S404": 1,
     "S309": 1,
     "RST203": 1,
     "DAR301": 1,
     "D402": 1,
+    "WPS318": 1,
     "WPS609": 2,
     "WPS529": 2,
     "WPS501": 2,
@@ -26,26 +25,24 @@
     "WPS301": 2,
     "WPS232": 2,
     "WPS120": 2,
-    "WPS318": 2,
+    "WPS319": 2,
     "WPS605": 3,
     "WPS510": 3,
     "WPS361": 3,
-    "WPS319": 3,
     "WPS234": 3,
     "WPS211": 3,
     "WPS122": 3,
     "WPS115": 3,
     "DAR401": 3,
     "D403": 3,
-    "I001": 3,
     "WPS428": 4,
     "WPS420": 4,
     "D105": 4,
     "C812": 4,
+    "WPS462": 5,
     "WPS405": 5,
     "WPS348": 5,
     "WPS121": 5,
-    "WPS462": 5,
     "WPS425": 6,
     "WPS335": 6,
     "WPS237": 6,
@@ -55,9 +52,8 @@
     "W504": 8,
     "WPS400": 9,
     "WPS229": 9,
-    "Q001": 10,
     "WPS458": 10,
-    "I005": 10,
+    "Q001": 10,
     "D401": 11,
     "D209": 12,
     "WPS226": 13,

packages/python/m/core/issue.py

@@ -98,7 +98,8 @@ def __init__(
 
     def to_dict(self) -> IssueDict:
         """Convert to a ordered dictionary so that each of the properties are
-        written in an expected order."""
+        written in an expected order.
+        """
         obj = cast(IssueDict, OrderedDict())
         obj['message'] = self.message
         if self.description:

packages/python/m/core/subprocess.py

@@ -1,4 +1,5 @@
-from subprocess import PIPE, STDOUT, Popen
+import shlex
+from subprocess import STDOUT, CalledProcessError, check_output  # noqa: S404
 
 from . import Issue, issue
 from .fp import Good, OneOf
@@ -13,18 +14,13 @@ def eval_cmd(cmd: str) -> OneOf[Issue, str]:
     Returns:
         The output of the command (or an Issue if the command failed).
     """
-    with Popen(
-        cmd,
-        shell=True,
-        universal_newlines=True,
-        executable='/bin/bash',
-        stdout=PIPE,
-        stderr=STDOUT,
-    ) as process:
-        out, _ = process.communicate()
-        if process.returncode == 0:
-            return Good(out.strip())
-    return issue(
-        'command returned a non zero exit code',
-        context={'cmd': cmd, 'output': out},
-    )
+    command = shlex.split(cmd)
+    try:
+        out = check_output(command, stderr=STDOUT, shell=False).decode()  # noqa: S603,E501
+    except CalledProcessError as ex:
+        out = ex.output.decode()
+        return issue(
+            'command returned a non zero exit code',
+            context={'cmd': cmd, 'output': out},
+        )
+    return Good(out.strip())

packages/python/m/github/ci_dataclasses.py

@@ -42,8 +42,7 @@ class Commit(JsonStr):
 
     def get_pr_branch(self) -> str:
         """Return the pr branch if the commit has an associated pr or empty
-        string.
-        """
+        string."""
         if not self.associated_pull_request:
             return ''
         return self.associated_pull_request.pr_branch