Security3 #10944
Merged
Security3 #10944
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
akx
reviewed
Feb 13, 2023
| @@ -597,7 +598,8 @@ def main(opt, callbacks=Callbacks()): | |||
| # ei = [isinstance(x, (int, float)) for x in hyp.values()] # evolvable indices | |||
| evolve_yaml, evolve_csv = save_dir / 'hyp_evolve.yaml', save_dir / 'evolve.csv' | |||
| if opt.bucket: | |||
| os.system(f'gsutil cp gs://{opt.bucket}/evolve.csv {evolve_csv}') # download evolve.csv if exists | |||
| subprocess.run( | |||
| f'gsutil cp gs://{opt.bucket}/evolve.csv {evolve_csv}'.split()) # download evolve.csv if exists | |||
There was a problem hiding this comment.
This will break if the bucket name or filename contains a space.
(This repeats for the other gsutil incantation.)
| @@ -461,7 +462,7 @@ def main(opt): | |||
| r, _, t = run(**vars(opt), plots=False) | |||
| y.append(r + t) # results and times | |||
| np.savetxt(f, y, fmt='%10.4g') # save | |||
| os.system('zip -r study.zip study_*.txt') | |||
| subprocess.run('zip -r study.zip study_*.txt'.split()) | |||
There was a problem hiding this comment.
I don't think this change really makes anything more secure.
(This repeats for the other zip.)
| @@ -50,7 +50,8 @@ def safe_download(file, url, url2=None, min_bytes=1E0, error_msg=''): | |||
| if file.exists(): | |||
| file.unlink() # remove partial downloads | |||
| LOGGER.info(f'ERROR: {e}\nRe-attempting {url2 or url} to {file}...') | |||
| os.system(f"curl -# -L '{url2 or url}' -o '{file}' --retry 3 -C -") # curl download, retry and resume on fail | |||
| subprocess.run( | |||
| f"curl -# -L '{url2 or url}' -o '{file}' --retry 3 -C -".split()) # curl download, retry and resume on fail | |||
There was a problem hiding this comment.
Same space-brokenness here, not to mention there will now be quotes in the split arguments that wouldn't be there otherwise. (This repeats for the other curl.)
akx
added a commit
to akx/yolov5
that referenced
this pull request
Feb 13, 2023
Subprocess.run does not return an integer. Regressed in ultralytics#10944
akx
added a commit
to akx/yolov5
that referenced
this pull request
Feb 13, 2023
akx
added a commit
to akx/yolov5
that referenced
this pull request
Feb 13, 2023
akx
added a commit
to akx/yolov5
that referenced
this pull request
Feb 13, 2023
glenn-jocher
pushed a commit
that referenced
this pull request
Feb 13, 2023
Subprocess.run does not return an integer. Regressed in #10944
glenn-jocher
added a commit
that referenced
this pull request
Feb 13, 2023
* Use list-form arguments for subprocess.run calls where possible Augments #10944 * Deduplicate curl code * Avoid eval() to parse integer --------- Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com> Co-authored-by: Glenn Jocher <glenn.jocher@ultralytics.com>
Smfun12
pushed a commit
to Smfun12/yolov5
that referenced
this pull request
Mar 24, 2023
* Security improvements * Security improvements * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Smfun12
pushed a commit
to Smfun12/yolov5
that referenced
this pull request
Mar 24, 2023
Subprocess.run does not return an integer. Regressed in ultralytics#10944
Smfun12
pushed a commit
to Smfun12/yolov5
that referenced
this pull request
Mar 24, 2023
* Use list-form arguments for subprocess.run calls where possible Augments ultralytics#10944 * Deduplicate curl code * Avoid eval() to parse integer --------- Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com> Co-authored-by: Glenn Jocher <glenn.jocher@ultralytics.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
π οΈ PR Summary
Made with β€οΈ by Ultralytics Actions
π Summary
Upgraded system calls to subprocess module for better security and compliance.
π Key Changes
os.systemcalls withsubprocess.runin files such astrain.py,val.py, anddownloads.py.subprocessmodule in files where system calls have been replaced.π― Purpose & Impact
subprocessprevents shell injection vulnerabilities that can occur withos.system.subprocessallows better handling of exceptions and program output.