Skip to content

Commit

Permalink
Add support for Popen to process-creation-sandbox
Browse files Browse the repository at this point in the history
  • Loading branch information
@drdavella
drdavella committed Dec 13, 2023
1 parent 8a16319 commit 1acd224
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 3 deletions.
6 changes: 3 additions & 3 deletions integration_tests/test_process_sandbox.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ class TestProcessSandbox(BaseIntegrationTest):
(1, """from security import safe_command\n\n"""),
(2, """safe_command.run(subprocess.run, "echo 'hi'", shell=True)\n"""),
(3, """safe_command.run(subprocess.run, ["ls", "-l"])\n"""),
(5, """safe_command.call(subprocess.call, "echo 'hi'", shell=True)\n"""),
(6, """safe_command.call(subprocess.call, ["ls", "-l"])\n"""),
(5, """safe_command.run(subprocess.call, "echo 'hi'", shell=True)\n"""),
(6, """safe_command.run(subprocess.call, ["ls", "-l"])\n"""),
],
)
expected_diff = '--- \n+++ \n@@ -1,10 +1,11 @@\n import subprocess\n+from security import safe_command\n \n-subprocess.run("echo \'hi\'", shell=True)\n-subprocess.run(["ls", "-l"])\n+safe_command.run(subprocess.run, "echo \'hi\'", shell=True)\n+safe_command.run(subprocess.run, ["ls", "-l"])\n \n-subprocess.call("echo \'hi\'", shell=True)\n-subprocess.call(["ls", "-l"])\n+safe_command.call(subprocess.call, "echo \'hi\'", shell=True)\n+safe_command.call(subprocess.call, ["ls", "-l"])\n \n subprocess.check_output(["ls", "-l"])\n \n'
expected_diff = '--- \n+++ \n@@ -1,10 +1,11 @@\n import subprocess\n+from security import safe_command\n \n-subprocess.run("echo \'hi\'", shell=True)\n-subprocess.run(["ls", "-l"])\n+safe_command.run(subprocess.run, "echo \'hi\'", shell=True)\n+safe_command.run(subprocess.run, ["ls", "-l"])\n \n-subprocess.call("echo \'hi\'", shell=True)\n-subprocess.call(["ls", "-l"])\n+safe_command.run(subprocess.call, "echo \'hi\'", shell=True)\n+safe_command.run(subprocess.call, ["ls", "-l"])\n \n subprocess.check_output(["ls", "-l"])\n \n'
expected_line_change = "3"
num_changes = 4
num_changed_files = 2
Expand Down
6 changes: 6 additions & 0 deletions src/core_codemods/process_creation_sandbox.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ def rule(cls):
- pattern-inside: |
import subprocess
...
- patterns:
- pattern: subprocess.Popen(...)
- pattern-inside: |
import subprocess
...
"""

def on_result_found(self, original_node, updated_node):
Expand All @@ -47,5 +52,6 @@ def on_result_found(self, original_node, updated_node):
return self.update_call_target(
updated_node,
"safe_command",
new_func="run",
replacement_args=[cst.Arg(original_node.func), *original_node.args],
)
30 changes: 30 additions & 0 deletions tests/codemods/test_process_creation_sandbox.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,3 +138,33 @@ def test_custom_run(self, tmpdir):
run("echo 'hi'", shell=True)"""
expected = input_code
self.run_and_assert(tmpdir, input_code, expected)

def test_subprocess_call(self, tmpdir):
input_code = """
import subprocess
subprocess.call(["ls", "-l"])
"""
expected = """
import subprocess
from security import safe_command
safe_command.run(subprocess.call, ["ls", "-l"])
"""
self.run_and_assert(tmpdir, input_code, expected)
self.assert_dependency(Security)

def test_subprocess_popen(self, tmpdir):
input_code = """
import subprocess
subprocess.Popen(["ls", "-l"])
"""
expected = """
import subprocess
from security import safe_command
safe_command.run(subprocess.Popen, ["ls", "-l"])
"""
self.run_and_assert(tmpdir, input_code, expected)
self.assert_dependency(Security)

0 comments on commit 1acd224

Please sign in to comment.