From 26149ae33974b92d8ccbe81685ba2bf204221e22 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 16:24:41 -0700 Subject: [PATCH] Sandbox Process Creation (#1799) * Sandbox Process Creation * lib already in backend * update security * no need to test with newlines, hopefully, since they are not allowed by security lib * typing things --------- Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com> Co-authored-by: burnettk --- spiffworkflow-backend/poetry.lock | 6 +++--- .../src/spiffworkflow_backend/services/git_service.py | 6 ++++-- .../tests/spiffworkflow_backend/unit/test_git_service.py | 4 ++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/spiffworkflow-backend/poetry.lock b/spiffworkflow-backend/poetry.lock index 60510cdc..9763f7f5 100644 --- a/spiffworkflow-backend/poetry.lock +++ b/spiffworkflow-backend/poetry.lock @@ -2620,13 +2620,13 @@ typing-extensions = ">=4.7.1" [[package]] name = "security" -version = "1.2.1" +version = "1.3.0" description = "The security toolkit for the Python community" optional = false python-versions = ">=3.8" files = [ - {file = "security-1.2.1-py3-none-any.whl", hash = "sha256:4ca5f8cfc6b836e2192a84bb5a28b72c17f3cd1abbfe3281f917394c6e6c9238"}, - {file = "security-1.2.1.tar.gz", hash = "sha256:0a9dc7b457330e6d0f92bdae3603fecb85394beefad0fd3b5058758a58781ded"}, + {file = "security-1.3.0-py3-none-any.whl", hash = "sha256:7a7a1dcd93f08a43c1e3020b05f3d04e1223bda503120434db9abe25eed23e2a"}, + {file = "security-1.3.0.tar.gz", hash = "sha256:9380b12f8d82767d4a4c31d252654cab935b42b0c6529ba11a9e7e52d38de79f"}, ] [package.dependencies] diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py index 8657dd8c..0d6cbf03 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py @@ -6,6 +6,7 @@ import uuid from flask import current_app from flask import g +from security import safe_command # type: ignore from spiffworkflow_backend.config import ConfigurationError from spiffworkflow_backend.models.process_model import ProcessModelInfo @@ -187,8 +188,9 @@ class GitService: command_to_run = ["-C", context_directory] + command_to_run command_to_run = ["git"] + command_to_run - # this is fine since we pass the commands directly - result = subprocess.run(command_to_run, check=False, capture_output=True, env=my_env) # noqa + result: subprocess.CompletedProcess[bytes] = safe_command.run( + subprocess.run, command_to_run, check=False, capture_output=True, env=my_env + ) if return_success_state: return result.returncode == 0 diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_git_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_git_service.py index d967695f..6e0b5065 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_git_service.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_git_service.py @@ -15,6 +15,6 @@ class TestGitService(BaseTest): with_db_and_bpmn_file_cleanup: None, ) -> None: output = GitService.run_shell_command_to_get_stdout( - ["echo", " This output should not end in space or newline \n"], prepend_with_git=False + ["echo", " This output should not end in space "], prepend_with_git=False ) - assert output == "This output should not end in space or newline" + assert output == "This output should not end in space"