Sandbox Process Creation (#5)

pixeebot[bot] · web-flow · commit d9c95f9e420b · 2024-07-19T08:55:16.000-04:00
Co-authored-by: pixeebot[bot] &lt;104101892+pixeebot[bot]@users.noreply.github.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -47,6 +47,7 @@ ruyaml = "0.91.0"
 six = "1.16.0"
 social-auth-app-django = "5.4.0"
 uwsgi = "2.0.23"
+security = "==1.3.0"
 
 [tool.poetry.group.lint]
 optional = true
diff --git a/python/cm/services/job/run/_task.py b/python/cm/services/job/run/_task.py
@@ -21,6 +21,7 @@
 from cm.issue import lock_affected_objects
 from cm.models import TaskLog
 from cm.utils import get_env_with_venv_path
+from security import safe_command
 
 logger = logging.getLogger("adcm")
 
@@ -50,7 +51,6 @@ def _run_task(task: TaskLog, command: Literal["start", "restart"]):
         str(task.pk),
     ]
     logger.info("task run cmd: %s", " ".join(cmd))
-    proc = subprocess.Popen(  # noqa: SIM115
-        args=cmd, stderr=err_file, env=get_env_with_venv_path(venv=task.action.venv)
+    proc = safe_command.run(subprocess.Popen, args=cmd, stderr=err_file, env=get_env_with_venv_path(venv=task.action.venv)
     )
     logger.info("task run #%s, python process %s", task.pk, proc.pid)
diff --git a/python/core/job/executors.py b/python/core/job/executors.py
@@ -20,6 +20,7 @@
 from typing_extensions import Self
 
 from core.job.types import BundleInfo
+from security import safe_command
 
 
 class ExecutionResult(NamedTuple):
@@ -99,8 +100,7 @@ def execute(self) -> Self:
         self._open_logs(log_dir=self._config.work_dir, log_prefix=self.script_type)
 
         os.chdir(self._config.bundle.root)
-        self._process = subprocess.Popen(
-            command,  # noqa S603
+        self._process = safe_command.run(subprocess.Popen, command,  # noqa S603
             env=environment,
             stdout=self._out_log,
             stderr=self._err_log,

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@`
`21`	`21`	`from cm.issue import lock_affected_objects`
`22`	`22`	`from cm.models import TaskLog`
`23`	`23`	`from cm.utils import get_env_with_venv_path`
	`24`	`+from security import safe_command`
`24`	`25`
`25`	`26`	`logger = logging.getLogger("adcm")`
`26`	`27`
`@@ -50,7 +51,6 @@ def _run_task(task: TaskLog, command: Literal["start", "restart"]):`
`50`	`51`	`str(task.pk),`
`51`	`52`	`]`
`52`	`53`	`logger.info("task run cmd: %s", " ".join(cmd))`
`53`		`- proc = subprocess.Popen( # noqa: SIM115`
`54`		`- args=cmd, stderr=err_file, env=get_env_with_venv_path(venv=task.action.venv)`
	`54`	`+ proc = safe_command.run(subprocess.Popen, args=cmd, stderr=err_file, env=get_env_with_venv_path(venv=task.action.venv)`
`55`	`55`	`)`
`56`	`56`	`logger.info("task run #%s, python process %s", task.pk, proc.pid)`