sonic-buildimage/device/celestica/x86_64-cel_e1031-r0/sonic_platform
Mai Bui 51a1eb112b
[device/celestica] Mitigation for command injection vulnerability (#11740)
Signed-off-by: maipbui <maibui@microsoft.com>
Dependency: [PR (#12065)](https://github.com/sonic-net/sonic-buildimage/pull/12065) needs to merge first.
#### Why I did it
1. `eval()` - not secure against maliciously constructed input, can be dangerous if used to evaluate dynamic content. This may be a code injection vulnerability.
2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection.
3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content.
4. `is` operator - string comparison should not be used with reference equality.
5. `globals()` - extremely dangerous because it may allow an attacker to execute arbitrary code on the system
#### How I did it
1. `eval()` - use `literal_eval()`
2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation)
3. `os` - use with `subprocess`
4. `is` - replace by `==` operator for value equality
5. `globals()` - avoid the use of globals()
2022-12-09 10:30:20 -05:00
..
__init__.py
chassis.py [device/celestica] Mitigation for command injection vulnerability (#11740) 2022-12-09 10:30:20 -05:00
common.py [device/celestica] Mitigation for command injection vulnerability (#11740) 2022-12-09 10:30:20 -05:00
component.py [device/celestica] Mitigation for command injection vulnerability (#11740) 2022-12-09 10:30:20 -05:00
eeprom.py Fix issue of partially parsing syseeprom value (#10020) (#10276) 2022-03-21 09:25:36 -07:00
event.py [device/celestica]: Fix failed test cases of Haliburton platform API (#7579) 2021-07-23 06:18:39 -07:00
fan_drawer.py [Celestica/sonic_platform]: Fixed failed test cases in Haliburton platform testing (#8815) 2021-10-08 11:10:05 +08:00
fan.py [Celestica/sonic_platform]: Fixed failed test cases in Haliburton platform testing (#8815) 2021-10-08 11:10:05 +08:00
platform.py
psu.py [device/celestica]:Fix failed test case of Haliburton snmp (#10844) 2022-05-26 00:06:50 +08:00
sfp.py [hlx/sfp] fix hlx platform sfp+ tx disable issue (#11532) 2022-07-28 09:39:23 +08:00
thermal_actions.py [device/celestica] Mitigation for command injection vulnerability (#11740) 2022-12-09 10:30:20 -05:00
thermal_conditions.py
thermal_infos.py
thermal_manager.py [device/celestica] Mitigation for command injection vulnerability (#11740) 2022-12-09 10:30:20 -05:00
thermal.py [device/celestica]:Fix failed test case of Haliburton snmp (#10844) 2022-05-26 00:06:50 +08:00
watchdog.py [device/celestica]: Fix failed test cases of Haliburton platform API (#7579) 2021-07-23 06:18:39 -07:00