Skip to content

Commit a1fdff9

Browse files
authored
Use the --option=value syntax for run_command_safely args #1257 (#1270)
Signed-off-by: tdruez <tdruez@nexb.com>
1 parent b3c8b25 commit a1fdff9

File tree

3 files changed

+18
-8
lines changed

3 files changed

+18
-8
lines changed

CHANGELOG.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,13 @@
11
Changelog
22
=========
33

4+
v34.6.3 (unreleased)
5+
--------------------
6+
7+
- Use the ``--option=value`` syntax for args entries in place of ``--option value``
8+
for fetching Docker images using skopeo through ``run_command_safely`` calls.
9+
https://github.com/nexB/scancode.io/issues/1257
10+
411
v34.6.2 (2024-06-18)
512
--------------------
613

scanpipe/pipes/fetch.py

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,9 @@ def run_command_safely(command_args):
5555
commands. It provides a safer and more straightforward API compared to older methods
5656
like subprocess.Popen.
5757
58+
WARNING: Please note that the `--option=value` syntax is required for args entries,
59+
and not the `--option value` format.
60+
5861
- This does not use the Shell (shell=False) to prevent injection vulnerabilities.
5962
- The command should be provided as a list of ``command_args`` arguments.
6063
- Only full paths to executable commands should be provided to avoid any ambiguity.
@@ -197,12 +200,12 @@ def get_docker_image_platform(docker_url):
197200
authentication_args = []
198201
authfile = settings.SCANCODEIO_SKOPEO_AUTHFILE_LOCATION
199202
if authfile:
200-
authentication_args.append(f"--authfile {authfile}")
203+
authentication_args.append(f"--authfile={authfile}")
201204

202205
netloc = urlparse(docker_url).netloc
203206
if credential := settings.SCANCODEIO_SKOPEO_CREDENTIALS.get(netloc):
204207
# Username and password for accessing the registry.
205-
authentication_args.append(f"--creds {credential}")
208+
authentication_args.append(f"--creds={credential}")
206209
elif not authfile:
207210
# Access the registry anonymously.
208211
authentication_args.append("--no-creds")
@@ -287,12 +290,12 @@ def fetch_docker_image(docker_url, to=None):
287290

288291
authentication_args = []
289292
if authfile := settings.SCANCODEIO_SKOPEO_AUTHFILE_LOCATION:
290-
authentication_args.append(f"--authfile {authfile}")
293+
authentication_args.append(f"--authfile={authfile}")
291294

292295
netloc = urlparse(docker_url).netloc
293296
if credential := settings.SCANCODEIO_SKOPEO_CREDENTIALS.get(netloc):
294297
# Credentials for accessing the source registry.
295-
authentication_args.append(f"--src-creds {credential}")
298+
authentication_args.append(f"--src-creds={credential}")
296299

297300
cmd_args = (
298301
str(skopeo_executable),

scanpipe/tests/pipes/test_fetch.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -129,14 +129,14 @@ def test_scanpipe_pipes_fetch_docker_image(
129129
with self.assertRaises(Exception):
130130
fetch.fetch_docker_image(url)
131131
cmd_args = mock_run_command_safely.call_args[0][0]
132-
self.assertIn("--authfile auth.json", cmd_args)
132+
self.assertIn("--authfile=auth.json", cmd_args)
133133

134134
credentials = {"registry.com": "user:password"}
135135
with override_settings(SCANCODEIO_SKOPEO_CREDENTIALS=credentials):
136136
with self.assertRaises(Exception):
137137
fetch.fetch_docker_image(url)
138138
cmd_args = mock_run_command_safely.call_args[0][0]
139-
self.assertIn("--src-creds user:password", cmd_args)
139+
self.assertIn("--src-creds=user:password", cmd_args)
140140

141141
@mock.patch("scanpipe.pipes.fetch._get_skopeo_location")
142142
@mock.patch("scanpipe.pipes.fetch.run_command_safely")
@@ -165,14 +165,14 @@ def test_scanpipe_pipes_fetch_get_docker_image_platform(
165165
with override_settings(SCANCODEIO_SKOPEO_AUTHFILE_LOCATION="auth.json"):
166166
fetch.get_docker_image_platform(url)
167167
cmd_args = mock_run_command_safely.call_args[0][0]
168-
self.assertIn("--authfile auth.json", cmd_args)
168+
self.assertIn("--authfile=auth.json", cmd_args)
169169
self.assertNotIn("--no-creds", cmd_args)
170170

171171
credentials = {"registry.com": "user:password"}
172172
with override_settings(SCANCODEIO_SKOPEO_CREDENTIALS=credentials):
173173
fetch.get_docker_image_platform(url)
174174
cmd_args = mock_run_command_safely.call_args[0][0]
175-
self.assertIn("--creds user:password", cmd_args)
175+
self.assertIn("--creds=user:password", cmd_args)
176176
self.assertNotIn("--no-creds", cmd_args)
177177

178178
def test_scanpipe_pipes_fetch_docker_image_string_injection_protection(self):

0 commit comments

Comments
 (0)