Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packaging: Use subprocess instead of os.popen for change log creation #3469

Merged
merged 27 commits into from
Mar 21, 2024
Merged

packaging: Use subprocess instead of os.popen for change log creation #3469

merged 27 commits into from
Mar 21, 2024

Conversation

naidneelttil
Copy link
Contributor

@naidneelttil naidneelttil commented Mar 1, 2024
edited by wenzeslaus
Loading

This addresses a warning from Bandit about an injection attack risk by using subprocess.Popen instead of os.popen.

@github-actions github-actions bot added the Python Related code is in Python label Mar 1, 2024
wenzeslaus
wenzeslaus requested changes Mar 1, 2024
View reviewed changes
Copy link
Member

@wenzeslaus wenzeslaus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good start. I have no idea why os.popen is here except that the code is quite dated. Works fine, it was just different Python in 2008.

utils/gitlog2changelog.py Outdated Show resolved Hide resolved
utils/gitlog2changelog.py Show resolved Hide resolved
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
neteler
neteler reviewed Mar 11, 2024
View reviewed changes
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
@neteler neteler added this to the 8.4.0 milestone Mar 12, 2024
@kpolchow @neteler
Update utils/gitlog2changelog.py
e3776ec 
fixed import mistake

Co-authored-by: Markus Neteler <markus@neteler.org>
kpolchow
kpolchow reviewed Mar 16, 2024
View reviewed changes
Copy link
Contributor

@kpolchow kpolchow left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uses subproccess instead of os, more secure.

command changed to an array of arguments passed to subprocess.popen(args). code simplified overall for easier understanding.

echoix
echoix previously requested changes Mar 17, 2024
View reviewed changes
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
@echoix
Copy link
Member

echoix commented Mar 17, 2024

@kpolchow almost there! This PR is almost ready!

@naidneelttil @echoix
added a new line to comply with linux convention
d440e08 
Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com>
@echoix
Copy link
Member

echoix commented Mar 18, 2024

CI is still failing. I think it is formatting with black that was forgotten.

@naidneelttil
Copy link
Contributor Author

CI is still failing. I think it is formatting with black that was forgotten.

thanks for the notice, I fixed the formatting reports from flake8 and black

wenzeslaus
wenzeslaus requested changes Mar 19, 2024
View reviewed changes
utils/gitlog2changelog.py Outdated Show resolved Hide resolved
wenzeslaus
wenzeslaus approved these changes Mar 21, 2024
View reviewed changes
Copy link
Member

@wenzeslaus wenzeslaus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All issues were addressed and the change log is generated in the CI in the release draft check.

@wenzeslaus wenzeslaus changed the title Addresses warning from Bandit - Injection attack risk in util file for gitlog packaging: Use subprocess instead of os.popen for change log creation Mar 21, 2024
@wenzeslaus wenzeslaus enabled auto-merge (squash) March 21, 2024 13:43
@echoix echoix dismissed their stale review March 21, 2024 20:32

Ready to go

@wenzeslaus wenzeslaus merged commit edb7703 into OSGeo:main Mar 21, 2024
26 checks passed
neteler pushed a commit that referenced this pull request Sep 29, 2024
@naidneelttil @kpolchow @neteler
packaging: Use subprocess instead of os.popen for change log creation (
c39f086 
…#3469)

This addresses a warning from Bandit about an injection attack risk by using subprocess.Popen instead of os.popen.

---------

Co-authored-by: kpolchow <polchow.kira@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neteler neteler neteler left review comments

@wenzeslaus wenzeslaus wenzeslaus approved these changes

@kpolchow kpolchow kpolchow left review comments

@echoix echoix Awaiting requested review from echoix

Assignees
No one assigned
Labels
Python Related code is in Python
Projects
None yet
Milestone
8.4.0
Development

Successfully merging this pull request may close these issues.
5 participants
@naidneelttil @echoix @neteler @wenzeslaus @kpolchow