Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project.git(list/str): reduce reliance on shlex.split() #683

Merged
merged 2 commits into from
Sep 1, 2023
Merged

Project.git(list/str): reduce reliance on shlex.split() #683

merged 2 commits into from
Sep 1, 2023

Commits on Sep 1, 2023

  1. tox.ini: set flake8 max-line-length to 100 

    Keep up with the times and new policies.

Signed-off-by: Marc Herbert <marc.herbert@intel.com>
    @marc-hb
    marc-hb committed Sep 1, 2023
    Configuration menu
    Copy the full SHA
    92f093d View commit details
    Browse the repository at this point in the history

  2. Project.git(list/str): reduce reliance on shlex.split() 

    For convenience, Project.git() supports passing either a list (good) or
a string with whitespaces (bad). The latter is parsed with shlex.split()

This saves some typing but the caller has to be extremely careful to
never use the shlex.split() convenience with unsanitized inputs.

Fixes commit 3ac600a ("git: clean west ref space after fetching")
where the caller was not careful and concatenated `update-ref -d ` with
unsanitized input, possibly containing special characters as found in
bug zephyrproject-rtos#679. Fix this bug by converting the string to a list.

While at it, look for a few other, frequent and risky invocations and
convert their string argument to a list too. The following test hack was
used to semi-automate the search for these other locations:

```
--- a/src/west/manifest.py
+++ b/src/west/manifest.py
@@ -897,6 +897,8 @@ class Project:
         :param cwd: directory to run git in (default: ``self.abspath``)
         '''
         if isinstance(cmd, str):
+            print(cmd)
+            breakpoint()
             cmd_list = shlex.split(cmd)
         else:
             cmd_list = list(cmd)
```

While at it, also convert to a list a couple non-risky but very frequent
invocations. This speeds up the test hack above.

Signed-off-by: Marc Herbert <marc.herbert@intel.com>
    @marc-hb
    marc-hb committed Sep 1, 2023
    Configuration menu
    Copy the full SHA
    6325366 View commit details
    Browse the repository at this point in the history