[sonic-bgpcfgd] Replace getstatusoutput function (#12535)
Signed-off-by: maipbui <maibui@microsoft.com> #### Why I did it `getstatusoutput()` function from `subprocess` module has shell injection issue because it includes `shell=True` in the implementation #### How I did it Use `getstatusoutput_noshell()` from sonic_py_common library #### How to verify it Tested in DUT
This commit is contained in:
Mai Bui
GitHub
parent
db7459787c
commit
57e333e40a
@ -23,12 +23,12 @@ Description: bgpmon.py -- populating bgp related information in stateDB.
|
|||||||
is a need to perform update or the peer is stale to be removed from the
|
is a need to perform update or the peer is stale to be removed from the
|
||||||
state DB
|
state DB
|
||||||
"""
|
"""
|
||||||
import subprocess
|
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
import syslog
|
import syslog
|
||||||
from swsscommon import swsscommon
|
from swsscommon import swsscommon
|
||||||
import time
|
import time
|
||||||
|
from sonic_py_common.general import getstatusoutput_noshell
|
||||||
|
|
||||||
PIPE_BATCH_MAX_COUNT = 50
|
PIPE_BATCH_MAX_COUNT = 50
|
||||||
|
|
||||||
@ -72,8 +72,8 @@ class BgpStateGet:
|
|||||||
|
|
||||||
# Get a new snapshot of BGP neighbors and store them in the "new" location
|
# Get a new snapshot of BGP neighbors and store them in the "new" location
|
||||||
def get_all_neigh_states(self):
|
def get_all_neigh_states(self):
|
||||||
cmd = "vtysh -c 'show bgp summary json'"
|
cmd = ["vtysh", "-c", 'show bgp summary json']
|
||||||
rc, output = subprocess.getstatusoutput(cmd)
|
rc, output = getstatusoutput_noshell(cmd)
|
||||||
if rc:
|
if rc:
|
||||||
syslog.syslog(syslog.LOG_ERR, "*ERROR* Failed with rc:{} when execute: {}".format(rc, cmd))
|
syslog.syslog(syslog.LOG_ERR, "*ERROR* Failed with rc:{} when execute: {}".format(rc, cmd))
|
||||||
return
|
return
|
||||||
|
|||||||
Reference in New Issue
Block a user