51a1eb112b
Signed-off-by: maipbui <maibui@microsoft.com> Dependency: [PR (#12065)](https://github.com/sonic-net/sonic-buildimage/pull/12065) needs to merge first. #### Why I did it 1. `eval()` - not secure against maliciously constructed input, can be dangerous if used to evaluate dynamic content. This may be a code injection vulnerability. 2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection. 3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content. 4. `is` operator - string comparison should not be used with reference equality. 5. `globals()` - extremely dangerous because it may allow an attacker to execute arbitrary code on the system #### How I did it 1. `eval()` - use `literal_eval()` 2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation) 3. `os` - use with `subprocess` 4. `is` - replace by `==` operator for value equality 5. `globals()` - avoid the use of globals() |
||
|---|---|---|
| .. | ||
| accton | ||
| alphanetworks | ||
| arista | ||
| barefoot | ||
| broadcom | ||
| celestica | ||
| centec | ||
| cig | ||
| common | ||
| dell | ||
| delta | ||
| facebook/x86_64-facebook_wedge100-r0 | ||
| ingrasys | ||
| inventec | ||
| juniper | ||
| marvell | ||
| mellanox | ||
| mitac/x86_64-mitac_ly1200_b32h0_c3-r0 | ||
| netberg | ||
| nokia | ||
| pegatron/x86_64-pegatron_porsche-r0 | ||
| quanta | ||
| ragile | ||
| ruijie/x86_64-ruijie_b6510-48vs8cq-r0 | ||
| virtual | ||
| wistron | ||
| wnc/x86_64-wnc_osw1800-r0 | ||