Skip to content

[device/juniper] Mitigation for security vulnerability#11838

Merged
maipbui merged 19 commits intosonic-net:masterfrom
maipbui:juniper_security
Nov 22, 2022
Merged

[device/juniper] Mitigation for security vulnerability#11838
maipbui merged 19 commits intosonic-net:masterfrom
maipbui:juniper_security

Conversation

@maipbui
Copy link
Contributor

@maipbui maipbui commented Aug 24, 2022
edited
Loading

Signed-off-by: maipbui maibui@microsoft.com

Dependency: #12065

Why I did it

commands module is not secure
command injection in getstatusoutput being used without a static string

How I did it

Eliminate commands module, use subprocess module only
Convert Python 2 to Python 3

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@maipbui
Replace subprocess getstatusoutput by run
04d7d16 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui maipbui requested a review from qiluo-msft August 24, 2022 18:02
@maipbui
Fix var name
fba2445 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Add capture_output and minimize code change
e783a42 
Signed-off-by: maipbui <maibui@microsoft.com>
@qiluo-msft
Copy link
Collaborator

qiluo-msft commented Aug 24, 2022

@ciju-juniper Could you help verify and review?

@lgtm-com
Copy link

lgtm-com bot commented Aug 24, 2022

This pull request introduces 1 alert when merging e783a42 into adffbd4 - view on LGTM.com

new alerts:

  • 1 for Unused local variable

maipbui added 3 commits August 24, 2022 22:20
@maipbui
Remove unused variable
25af1be 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Add more args
954c0da 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Remove center directory
83d60d5 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Remove os.system
f380aae 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Aug 31, 2022

This pull request introduces 3 alerts when merging f380aae into 6e878a3 - view on LGTM.com

new alerts:

  • 2 for Unused local variable
  • 1 for Unused import

@maipbui
Remove shutil and use subprocess and with
2fa4ded 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Use with
109303e 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Simplify code
d40d086 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Sep 1, 2022

This pull request introduces 1 alert when merging d40d086 into 88191b0 - view on LGTM.com

new alerts:

  • 1 for Unused import

@maipbui
Fix lgtm
b44a588 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui maipbui marked this pull request as ready for review September 2, 2022 13:34
@maipbui
Output text processing
a000b35 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Copy link
Contributor Author

maipbui commented Sep 12, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 12, 2022

Azure Pipelines successfully started running 1 pipeline(s).

@maipbui
Copy link
Contributor Author

maipbui commented Sep 13, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 13, 2022

Azure Pipelines successfully started running 1 pipeline(s).

@maipbui
Replace unsafe funcs in platform
9acf59c 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui maipbui requested a review from lguohan as a code owner September 19, 2022 15:26
@lgtm-com
Copy link

lgtm-com bot commented Sep 19, 2022

This pull request introduces 6 alerts when merging 9acf59c into c243af0 - view on LGTM.com

new alerts:

  • 4 for Unused import
  • 1 for First parameter of a method is not named 'self'
  • 1 for Wrong number of arguments in a call

@maipbui
Fix lgtm
e667990 
Signed-off-by: maipbui <maibui@microsoft.com>
qiluo-msft
qiluo-msft reviewed Sep 19, 2022
View reviewed changes
platform/broadcom/sonic-platform-modules-juniper/qfx5210/utils/juniper_qfx5210_util.py Outdated
show_set_help()
return
#print ALL_DEVICE['led']
#print( ALL_DEVICE['led']
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 19, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(

This change does not make sense. Please revert. #Closed

qiluo-msft
qiluo-msft reviewed Sep 19, 2022
View reviewed changes
platform/broadcom/sonic-platform-modules-juniper/qfx5210/utils/juniper_qfx5210_util.py Outdated
return

#print ALL_DEVICE[args[0]]
#print( ALL_DEVICE[args[0]]
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 19, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(

Please revert. #Closed

qiluo-msft
qiluo-msft reviewed Sep 19, 2022
View reviewed changes
platform/broadcom/sonic-platform-modules-juniper/qfx5210/utils/juniper_qfx5210_util.py
print("============================================")

for j in sorted(ALL_DEVICE[i].keys(), key=get_value):
print " "+j+":",
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 19, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

,

Original print without newline, the new code changes behavior. #Closed

Copy link
Collaborator

@qiluo-msft qiluo-msft Oct 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strictly speaking, you are using a blank as end, you should use empty string.

Copy link
Contributor Author

@maipbui maipbui Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think blank space should be used, ref: https://stackoverflow.com/a/18908914/19880750

Copy link
Collaborator

@qiluo-msft qiluo-msft Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree.

@lgtm-com
Copy link

lgtm-com bot commented Oct 5, 2022

This pull request introduces 1 alert when merging b53376c into 1f0699f - view on LGTM.com

new alerts:

  • 1 for Comparison using is when operands support `__eq__`

@maipbui
Fix lgtm
59ce323 
Signed-off-by: maipbui <maibui@microsoft.com>
@maipbui
Copy link
Contributor Author

maipbui commented Oct 18, 2022

@ciju-juniper Could you help review and verify?

@maipbui
Fix code to be consistent with original behavior
fb8b24f 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Nov 21, 2022

This pull request introduces 2 alerts when merging fb8b24f into 7b4032e - view on LGTM.com

new alerts:

  • 1 for Unused import
  • 1 for Syntax error

Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog.

@maipbui
fix lgtm
2b45169 
Signed-off-by: maipbui <maibui@microsoft.com>
@lgtm-com
Copy link

lgtm-com bot commented Nov 21, 2022

This pull request introduces 1 alert when merging 2b45169 into 77b1be7 - view on LGTM.com

new alerts:

  • 1 for Syntax error

Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. Please enable GitHub code scanning, which uses the same CodeQL engine ⚙️ that powers LGTM.com. For more information, please check out our post on the GitHub blog.

@maipbui maipbui merged commit 2f6b34a into sonic-net:master Nov 22, 2022
@maipbui maipbui deleted the juniper_security branch November 22, 2022 15:46
StormLiangMS pushed a commit to StormLiangMS/sonic-buildimage that referenced this pull request Dec 8, 2022
@maipbui @StormLiangMS
[device/juniper] Mitigation for security vulnerability (sonic-net#11838)
8f52ee0 
Signed-off-by: maipbui maibui@microsoft.com
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
`commands` module is not secure
command injection in `getstatusoutput` being used without a static string
#### How I did it
Eliminate `commands` module, use `subprocess` module only
Convert Python 2 to Python 3
StormLiangMS pushed a commit that referenced this pull request Dec 10, 2022
@maipbui @StormLiangMS
[device/juniper] Mitigation for security vulnerability (#11838)
4963c1c 
Signed-off-by: maipbui maibui@microsoft.com
Dependency: [https://github.com/sonic-net/sonic-buildimage/pull/12065](https://github.com/sonic-net/sonic-buildimage/pull/12065)
#### Why I did it
`commands` module is not secure
command injection in `getstatusoutput` being used without a static string
#### How I did it
Eliminate `commands` module, use `subprocess` module only
Convert Python 2 to Python 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees

No one assigned

Labels

Static Code Analysis

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maipbui @qiluo-msft