Sandbox Process Creation (#1799)

* Sandbox Process Creation * lib already in backend * update security * no need to test with newlines, hopefully, since they are not allowed by security lib * typing things --------- Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com>
2024-06-25 16:24:41 -07:00 · 2024-06-25 16:24:41 -07:00 · 26149ae339
parent d72080c9d5
commit 26149ae339
3 changed files with 9 additions and 7 deletions
--- a/spiffworkflow-backend/poetry.lock
+++ b/spiffworkflow-backend/poetry.lock
@ -2620,13 +2620,13 @@ typing-extensions = ">=4.7.1"

 [[package]]
 name = "security"
-version = "1.2.1"
+version = "1.3.0"
 description = "The security toolkit for the Python community"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "security-1.2.1-py3-none-any.whl", hash = "sha256:4ca5f8cfc6b836e2192a84bb5a28b72c17f3cd1abbfe3281f917394c6e6c9238"},
-    {file = "security-1.2.1.tar.gz", hash = "sha256:0a9dc7b457330e6d0f92bdae3603fecb85394beefad0fd3b5058758a58781ded"},
+    {file = "security-1.3.0-py3-none-any.whl", hash = "sha256:7a7a1dcd93f08a43c1e3020b05f3d04e1223bda503120434db9abe25eed23e2a"},
+    {file = "security-1.3.0.tar.gz", hash = "sha256:9380b12f8d82767d4a4c31d252654cab935b42b0c6529ba11a9e7e52d38de79f"},
 ]

 [package.dependencies]
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py
@ -6,6 +6,7 @@ import uuid

 from flask import current_app
 from flask import g
+from security import safe_command  # type: ignore

 from spiffworkflow_backend.config import ConfigurationError
 from spiffworkflow_backend.models.process_model import ProcessModelInfo
@ -187,8 +188,9 @@ class GitService:
                command_to_run = ["-C", context_directory] + command_to_run
            command_to_run = ["git"] + command_to_run

-        # this is fine since we pass the commands directly
-        result = subprocess.run(command_to_run, check=False, capture_output=True, env=my_env)  # noqa
+        result: subprocess.CompletedProcess[bytes] = safe_command.run(
+            subprocess.run, command_to_run, check=False, capture_output=True, env=my_env
+        )

        if return_success_state:
            return result.returncode == 0
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_git_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_git_service.py
@ -15,6 +15,6 @@ class TestGitService(BaseTest):
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        output = GitService.run_shell_command_to_get_stdout(
-            ["echo", "   This output should not end in space or newline  \n"], prepend_with_git=False
+            ["echo", "   This output should not end in space  "], prepend_with_git=False
        )
-        assert output == "This output should not end in space or newline"
+        assert output == "This output should not end in space"