Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subprocess improvements #10973

Merged
merged 4 commits into from
Feb 13, 2023
Merged

Subprocess improvements #10973

merged 4 commits into from
Feb 13, 2023

Conversation

akx
Copy link
Contributor

@akx akx commented Feb 13, 2023
edited by UltralyticsAssistant
Loading

  • Use lists wherever possible (augments Security3 #10944)
  • Deduplicate curl-calling code
  • Avoid calling eval() on gsutil output

🛠️ PR Summary

Made with ❤️ by Ultralytics Actions

🌟 Summary

Refactoring subprocess calls in the Ultralytics YOLOv5 repository for better security and performance.

📊 Key Changes

  • Replaced subprocess command strings with lists to improve code security against shell injection attacks.
  • Modified subprocess shell parameter usage for better practices.
  • Added a new function curl_download in utils/downloads.py to handle curl downloads with retry support.
  • Cleaned up and simplified code for calling external commands via subprocess to ensure consistency.

🎯 Purpose & Impact

  • 🛡️ Enhancing Security: Use of subprocess lists over strings prevents shell injection vulnerabilities.
  • 💡 Maintaining Clarity: Codebase becomes clearer and more maintainable with a standard approach for subprocess calls.
  • 🔄 Improving Reliability: Implementation of the curl_download function with retry logic ensures more robust file downloads.
  • 🔧 Streamlining Operations: These improvements lead to a more efficient development process and potentially fewer errors during model training, export, and validation scripts, benefiting developers and users by providing a more stable tool.

@glenn-jocher
Merge branch 'master' into subprocess-security
fd641ed 
Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com>
@glenn-jocher
Copy link
Member

@akx thanks for the PR! I've been working on security improvements here and at https://github.com/ultralytics/ultralytics using Snyk. This repo in particular shows a lot of code injection vulnerabilities, but it's been hard to reduce them.

Screenshot 2023-02-13 at 17 44 29

@glenn-jocher glenn-jocher merged commit a2de5c5 into ultralytics:master Feb 13, 2023
@glenn-jocher
Copy link
Member

@akx new results look much better! All high severity issues are gone now :)

Screenshot 2023-02-13 at 18 05 42

Most of the remaining medium severity ones are path traversals, i.e.:

Screenshot 2023-02-13 at 18 07 20

Smfun12 pushed a commit to Smfun12/yolov5 that referenced this pull request Mar 24, 2023
@akx @glenn-jocher @Smfun12
Subprocess improvements (ultralytics#10973)
9127c9b 
* Use list-form arguments for subprocess.run calls where possible

Augments ultralytics#10944

* Deduplicate curl code

* Avoid eval() to parse integer

---------

Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com>
Co-authored-by: Glenn Jocher <glenn.jocher@ultralytics.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@akx @glenn-jocher