Sandbox Process Creation

pixee · Jan 2, 2024 · 37a0fc0 · 37a0fc0
1 parent bf7d7cb
commit 37a0fc0
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 19 deletions.
diff --git a/integration_tests/base_test.py b/integration_tests/base_test.py
@@ -9,6 +9,7 @@
 from codemodder import __version__
 from codemodder import registry
 from tests.validations import execute_code
+from security import safe_command
 
 SAMPLES_DIR = "tests/samples"
 # Enable import of test modules from test directory
@@ -154,8 +155,7 @@ def test_file_rewritten(self):
         self.check_code_before()
         self.check_dependencies_before()
 
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
             shell=False,
         )
@@ -169,8 +169,7 @@ def test_file_rewritten(self):
 
     def _run_idempotency_chec(self, command):
         # idempotency test, run it again and assert no files changed
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
         )
         assert completed_process.returncode == 0

diff --git a/integration_tests/test_dependency_manager.py b/integration_tests/test_dependency_manager.py
@@ -4,6 +4,7 @@
 import pytest
 from integration_tests.base_test import SAMPLES_DIR, CleanRepoMixin
 from textwrap import dedent
+from security import safe_command
 
 
 class TestDependencyManager(CleanRepoMixin):
@@ -60,8 +61,7 @@ def test_add_to_pyproject_toml(self, tmp_repo):
             "--codemod-include=url-sandbox",
             "--verbose",
         ]
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
             shell=False,
             capture_output=True,
@@ -83,8 +83,7 @@ def test_add_to_requirements_txt(self, tmp_repo):
             "--codemod-include=url-sandbox",
             "--verbose",
         ]
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
             shell=False,
             capture_output=True,
@@ -108,8 +107,7 @@ def test_add_to_setup(self, tmp_repo):
             "--codemod-include=url-sandbox",
             "--verbose",
         ]
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
             shell=False,
             capture_output=True,
@@ -133,8 +131,7 @@ def test_fail_to_add(self, tmp_repo):
             "--codemod-include=url-sandbox",
             "--verbose",
         ]
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
             shell=False,
             capture_output=True,

diff --git a/integration_tests/test_multiple_codemods.py b/integration_tests/test_multiple_codemods.py
@@ -6,6 +6,7 @@
 import pytest
 
 from .base_test import SAMPLES_DIR
+from security import safe_command
 
 
 class TestMultipleCodemods:
@@ -31,8 +32,7 @@ def test_two_codemods(self, codemods, tmpdir):
             f"**/{source_file_name}",
         ]
 
-        completed_process = subprocess.run(
-            command,
+        completed_process = safe_command.run(subprocess.run, command,
             check=False,
             shell=False,
         )

diff --git a/integration_tests/test_program.py b/integration_tests/test_program.py
@@ -1,14 +1,14 @@
 import subprocess
+from security import safe_command
 
 
 class TestProgramFails:
     def test_no_project_dir_provided(self):
-        completed_process = subprocess.run(["codemodder"], check=False)
+        completed_process = safe_command.run(subprocess.run, ["codemodder"], check=False)
         assert completed_process.returncode == 3
 
     def test_codemods_include_exclude_conflict(self):
-        completed_process = subprocess.run(
-            [
+        completed_process = safe_command.run(subprocess.run, [
                 "codemodder",
                 "tests/samples/",
                 "--output",

diff --git a/pyproject.toml b/pyproject.toml
@@ -22,6 +22,7 @@ dependencies = [
     "tomlkit~=0.12.0",
     "wrapt~=1.16.0",
     "chardet~=5.2.0",
+    "security~=1.2.0",
 ]
 keywords = ["codemod", "codemods", "security", "fix", "fixes"]
 classifiers = [

diff --git a/src/codemodder/semgrep.py b/src/codemodder/semgrep.py
@@ -6,6 +6,7 @@
 from codemodder.context import CodemodExecutionContext
 from codemodder.sarifs import SarifResultSet
 from codemodder.logging import logger
+from security import safe_command
 
 
 def run(
@@ -37,8 +38,7 @@ def run(
         )
         command.extend(map(str, files_to_analyze or [execution_context.directory]))
         logger.debug("semgrep command: `%s`", " ".join(command))
-        call = subprocess.run(
-            command,
+        call = safe_command.run(subprocess.run, command,
             shell=False,
             check=False,
             stdout=None if execution_context.verbose else subprocess.PIPE,