92d25be08f
Signed-off-by: maipbui <maibui@microsoft.com> Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065) #### Why I did it 1. `getstatusoutput` is used without a static string and it uses `shell=True` 2. `subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection. 3. `os` - not secure against maliciously constructed input and dangerous if used to evaluate dynamic content. #### How I did it 1. use `getstatusoutput` without shell=True 2. `subprocess()` - use `shell=False` instead. use an array string. Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation) 3. `os` - use with `subprocess` |
||
---|---|---|
.. | ||
barefoot | ||
broadcom | ||
cavium | ||
centec | ||
centec-arm64 | ||
checkout | ||
components | ||
generic | ||
innovium | ||
marvell | ||
marvell-arm64 | ||
marvell-armhf | ||
mellanox | ||
nephos | ||
p4 | ||
pddf | ||
template | ||
vs |