Remove shell usage from detector tools#4866
Conversation
github-actions
Bot
added
BCOS-L1
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
saim256
left a comment
saim256
left a comment
There was a problem hiding this comment.
Approving current head 42de7b0.
The #4813 fix is focused: gpu_display_detector.py no longer invokes lspci through a shell, os_detector.py uses os.listdir('.') instead of shelling out to dir, and the AST regression catches future shell=True reintroductions in both detector tools. The existing OS detector behavior is preserved by updating the focused tests to mock os.listdir().
Validation performed:
python -m pytest tests\test_detector_tools_no_shell.py tools\test_os_detector.py -q-> 3 passedpython -m py_compile tools\gpu_display_detector.py tools\os_detector.py tools\test_os_detector.py tests\test_detector_tools_no_shell.py-> passedpython tools\bcos_spdx_check.py --base-ref origin/main-> BCOS SPDX check: OKgit diff --check origin/main...HEAD -- tools/gpu_display_detector.py tools/os_detector.py tools/test_os_detector.py tests/test_detector_tools_no_shell.py-> passedpython -m ruff check tools\gpu_display_detector.py tools\os_detector.py tools\test_os_detector.py tests\test_detector_tools_no_shell.py --select E9,F821,F811 --output-format=concise-> All checks passed
godd-ctrl
left a comment
godd-ctrl
left a comment
There was a problem hiding this comment.
Approved current head 42de7b0.
The detector tools no longer use shell=True for the legacy OS and GPU display probes. The GPU probe now invokes lspci as an argv list, the OS probe uses os.listdir instead of shelling out to dir, and the added AST regression covers shell=True in both detector tools.
Validation performed:
- git diff --name-status origin/main...HEAD -> tools/gpu_display_detector.py, tools/os_detector.py, tools/test_os_detector.py, tests/test_detector_tools_no_shell.py
- git diff --check origin/main...HEAD -> passed
- python tools\bcos_spdx_check.py --base-ref origin/main -> passed
- python -m py_compile tools\gpu_display_detector.py tools\os_detector.py tools\test_os_detector.py tests\test_detector_tools_no_shell.py -> passed
- python -m pytest tools\test_os_detector.py tests\test_detector_tools_no_shell.py -q -> 3 passed
- rg scan for shell=True/check_output string/os.system/os.popen patterns in the touched files -> no matches
No blocking issues found in the reviewed diff.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
loganoe
left a comment
loganoe
left a comment
There was a problem hiding this comment.
Review for Scottcjn/rustchain-bounties#73 on current head 42de7b0cc670597394405d2a3b00551bd89b05d7.
The detector hardening is scoped and correct: gpu_display_detector.py now invokes lspci as an argv list instead of through a shell, os_detector.py replaces the shell-mediated dir scan with os.listdir('.'), and the added AST regression guards both detector tools against reintroducing shell=True.
Validation performed:
PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --no-project --with pytest --with flask python -m pytest tests/test_detector_tools_no_shell.py tools/test_os_detector.py -q-> 3 passedpython3 -m py_compile tools/gpu_display_detector.py tools/os_detector.py tools/test_os_detector.py tests/test_detector_tools_no_shell.py-> passedgit diff --check origin/main...HEAD -- tools/gpu_display_detector.py tools/os_detector.py tools/test_os_detector.py tests/test_detector_tools_no_shell.py-> passedpython3 tools/bcos_spdx_check.py --base-ref origin/main-> OK
No blocking issues found in this diff.
508704820
left a comment
508704820
left a comment
There was a problem hiding this comment.
Code Review: Remove Shell Usage from Detector Tools
Summary
Adds AST-based test that detects subprocess.run(shell=True) in detector tools and removes any such usage. This prevents shell injection vulnerabilities in GPU display and OS detector tools.
What Works Well
- AST-based detection: Parses Python source code to find shell=True usage
- Comprehensive scan: Checks all detector tool files
- 38-line test: Clean, focused verification
- Prevention: Acts as a CI gate — future PRs with shell=True will fail tests
Verdict: Approve
Good proactive security measure. AST scanning prevents future shell injection regressions.
6 participants
Summary
subprocess.check_output("lspci", shell=True)with argv-list execution and no shell mediation.subprocess.check_output("dir", shell=True)withos.listdir(".")for the OS keyword scan.shell=True.Fixes #4813.
Validation
python -m pytest tests\test_detector_tools_no_shell.py tools\test_os_detector.py -q-> 3 passedpython -m py_compile tools\gpu_display_detector.py tools\os_detector.py tools\test_os_detector.py tests\test_detector_tools_no_shell.py-> passedgit diff --check -- tools\gpu_display_detector.py tools\os_detector.py tools\test_os_detector.py tests\test_detector_tools_no_shell.py-> passedpython tools\bcos_spdx_check.py --base-ref origin/main-> OKpython -m ruff check tools\gpu_display_detector.py tools\os_detector.py tools\test_os_detector.py tests\test_detector_tools_no_shell.py --select E9,F821,F811 --output-format=concise-> unavailable locally:No module named ruff