Skip to content
This repository was archived by the owner on Feb 15, 2023. It is now read-only.

Commit 01fa9f0

Browse files
ChuckCoxChuckCox
authored
Merge pull request #69 from IBM/asocfix2
fix: subprocess vulnerability
2 parents c55d4cf + 6d3f7d3 commit 01fa9f0

File tree

3 files changed

+75
-41
lines changed

3 files changed

+75
-41
lines changed

Pipfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,5 +9,5 @@ verify_ssl = true
99
gunicorn = "==19.7.1"
1010
ibmcloudenv = "*"
1111
livereload = "*"
12-
Flask = ">=1.0.0"
12+
flask = ">=1.0.0"
1313
prometheus_client = "*"

Pipfile.lock

Lines changed: 66 additions & 32 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

manage.py

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import os, sys, argparse, subprocess, signal, shlex
1+
import os, sys, argparse, subprocess, signal
22

33
# Project defaults
44
FLASK_APP = 'server/__init__.py'
@@ -17,7 +17,7 @@ def run(self, conf):
1717
env = os.environ
1818
env.update(conf)
1919
env.update(self.env)
20-
subprocess.call(shlex.split(cmd), env=env, shell=True)
20+
subprocess.call(cmd, env=env)
2121

2222

2323
class CommandManager:
@@ -51,12 +51,12 @@ def availableCommands(self):
5151
cm.add(Command(
5252
"build",
5353
"compiles python files in project into .pyc binaries",
54-
lambda c: 'python -m compileall .'))
54+
lambda c: ['python', '-m', 'compileall', '.']))
5555

5656
cm.add(Command(
5757
"start",
5858
"runs server with gunicorn in a production setting",
59-
lambda c: 'gunicorn -b {0}:{1} server:app'.format(c['host'], c['port']),
59+
lambda c: ['gunicorn', '-b', c['host'] + ':' + c['port'], 'server:app'],
6060
{
6161
'FLASK_APP': FLASK_APP,
6262
'FLASK_DEBUG': 'false'
@@ -65,7 +65,7 @@ def availableCommands(self):
6565
cm.add(Command(
6666
"run",
6767
"runs dev server using Flask's native debugger & backend reloader",
68-
lambda c: 'python -m flask run --host={0} --port={1} --debugger --reload'.format(c['host'], c['port']),
68+
lambda c: ['python', '-m', 'flask', 'run', '--host=' + c['host'], '--port=' + c['port'], '--debugger', '--reload'],
6969
{
7070
'FLASK_APP': FLASK_APP,
7171
'FLASK_DEBUG': 'true'
@@ -74,7 +74,7 @@ def availableCommands(self):
7474
cm.add(Command(
7575
"livereload",
7676
"runs dev server using livereload for dynamic webpage reloading",
77-
lambda c: 'python -m flask run',
77+
lambda c: ['python', '-m', 'flask', 'run'],
7878
{
7979
'FLASK_APP': FLASK_APP,
8080
'FLASK_LIVE_RELOAD': 'true',
@@ -83,7 +83,7 @@ def availableCommands(self):
8383
cm.add(Command(
8484
"debug",
8585
"runs dev server in debug mode; use with an IDE's remote debugger",
86-
lambda c: 'python -m flask run --host={0} --port={1} --no-debugger --no-reload'.format(c['host'], c['port']),
86+
lambda c: ['python', '-m', 'flask', 'run', '--host=' + c['host'], '--port=' + c['port'], '--no-debugger', '--no-reload'],
8787
{
8888
'FLASK_APP': FLASK_APP,
8989
'FLASK_DEBUG': 'true'
@@ -92,7 +92,7 @@ def availableCommands(self):
9292
cm.add(Command(
9393
"test",
9494
"runs all tests inside of `tests` directory",
95-
lambda c: 'python -m unittest discover -s tests -p "*.py"'))
95+
lambda c: ['python', '-m', 'unittest', 'discover', '-s', 'tests', '-p', '"*.py"']))
9696

9797
# Create and format argument parser for CLI
9898
parser = argparse.ArgumentParser(description=cm.availableCommands(),

0 commit comments

Comments
 (0)