[sonic-eventd] Replace subprocess with shell=True (#12536)

Signed-off-by: maipbui <maibui@microsoft.com> #### Why I did it `subprocess` is used with `shell=True`, which is very dangerous for shell injection. #### How I did it remove `shell=True`, use `shell=False`
2022-10-28 12:50:04 -07:00 · 2022-10-28 12:50:04 -07:00 · f34ca2b6a6
commit f34ca2b6a6
parent 57e333e40a
1 changed files with 6 additions and 7 deletions
--- a/src/sonic-eventd/tools/events_volume_test.py
+++ b/src/sonic-eventd/tools/events_volume_test.py
@ -32,17 +32,16 @@ def run_test(process, file, count, duplicate):

    time.sleep(2) # buffer for events_tool to startup 
    logging.info("Generating logger messages\n")
+    sub_cmd = ["logger", "-p", "local0.notice", "-t", process, "test", "message"]
    for i in range(count):
-        line = ""
-        state = "up"
        if duplicate:
-            line = "{} test message testmessage state up".format(process)
+            command = sub_cmd + ["testmessage", "state", "up"]
        else:
            if i % 2 != 1:
-                state = "down"
-            line = "{} test message testmessage{} state {}".format(process, i, state)
-        command = "logger -p local0.notice -t {}".format(line)
-        subprocess.run(command, shell=True, stdout=subprocess.PIPE)
+                command = sub_cmd + ["testmessage"+str(i), "state", "down"]
+            else:
+                command = sub_cmd + ["testmessage"+str(i), "state", "up"]
+        subprocess.run(command, stdout=subprocess.PIPE)

    time.sleep(2) # some buffer for all events to be published to file
    read_events_from_file(file, count)