remove shell=True (#470)

* remove shell=True
* constrain profile options

Author: AllyW

HISTORY.rst

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.1.78
+++++++
+* Mitigate shell injection risk from user input.
+
 0.1.77
 ++++++
 * `azdev extension cal-next-version`: Fix pre_num when tagged preview version with `major`, `minor`, `patch`.

README.rst

@@ -3,6 +3,8 @@ Microsoft Azure CLI Dev Tools (azdev)
 
 The ``azdev`` tool is designed to aid new and experienced developers in contributing to Azure CLI command modules and extensions.
 
+Notes: `azdev` command line tool is only designed for internal use and running on a local machine. It should never be used to take input from untrusted/outside sources or used behind another application.
+
 Setting up your development environment
 +++++++++++++++++++++++++++++++++++++++
 

azdev/__init__.py

@@ -4,4 +4,4 @@
 # license information.
 # -----------------------------------------------------------------------------
 
-__VERSION__ = '0.1.77'
+__VERSION__ = '0.1.78'

azdev/params.py

@@ -50,7 +50,7 @@ def load_arguments(self, _):
                      help="Space-separated list of tests to run. Can specify module or extension names, test filenames, class name or individual method names. "
                           "Omit to check all or use 'CLI' or 'EXT' to check only CLI modules or extensions respectively.",
                      completer=get_test_completion)
-        c.argument('profile', options_list='--profile', help='Run automation against a specific profile. If omit, the tests will run against current profile.')
+        c.argument('profile', options_list='--profile', choices=['latest', '2017-03-09-profile', '2018-03-01-hybrid', '2019-03-01-hybrid', '2020-09-01-profile'], help='Run automation against a specific profile. If omit, the tests will run against current profile.')
         c.argument('pytest_args', nargs=argparse.REMAINDER, options_list=['--pytest-args', '-a'], help='Denotes the remaining args will be passed to pytest.')
         c.argument('last_failed', options_list='--lf', action='store_true', help='Re-run the last tests that failed.')
         c.argument('no_exit_first', options_list='--no-exitfirst', action='store_true', help='Do not exit on first error or failed test')

azdev/utilities/command.py

@@ -7,6 +7,7 @@
 import os
 import subprocess
 import sys
+import shlex
 
 from knack.log import get_logger
 from knack.util import CommandResultItem
@@ -31,10 +32,16 @@ def call(command, **kwargs):
     :param kwargs: Any kwargs supported by subprocess.Popen
     :returns: (int) process exit code.
     """
-    return subprocess.call(
-        command,
-        shell=True,
-        **kwargs)
+    from azdev.utilities import IS_WINDOWS
+    cmd_args = command
+    if IS_WINDOWS and command.startswith('az '):
+        cmd_args = "az.bat " + command[3:]
+    if not IS_WINDOWS:
+        cmd_args = shlex.split(command)
+    return subprocess.run(
+        cmd_args,
+        check=False,  # supress subprocess-run-check linter warning, no CalledProcessError
+        **kwargs).returncode
 
 
 def cmd(command, message=False, show_stderr=True, raise_error=False, **kwargs):
@@ -57,12 +64,18 @@ def cmd(command, message=False, show_stderr=True, raise_error=False, **kwargs):
         display(message)
 
     logger.info("Running: %s", command)
+    cmd_args = command
+    if IS_WINDOWS and command.startswith('az '):
+        cmd_args = "az.bat " + command[3:]
+    if not IS_WINDOWS:
+        cmd_args = shlex.split(command)
     try:
-        output = subprocess.check_output(
-            command.split(),
+        output = subprocess.run(
+            cmd_args,
+            check=True,
+            stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT if show_stderr else None,
-            shell=IS_WINDOWS,
-            **kwargs).decode('utf-8').strip()
+            **kwargs).stdout.decode('utf-8').strip()
         logger.debug(output)
         return CommandResultItem(output, exit_code=0, error=None)
     except subprocess.CalledProcessError as err: