fix(build): prevent command injection and race conditions in build script #1551
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ript - Replace os.system() with subprocess.run() to prevent shell injection attacks - Fix race condition in determine_compiler() where temp.txt could be read before completion - Remove dangerous 'DEL *sqlsrv*' pattern that could delete unintended files - Add input validation for all constructor parameters - Fix bare 'except:' clauses that could catch KeyboardInterrupt - Prevent duplicate extension entries in php.ini - Use os.path.join() consistently to fix Windows/Linux path issues - Add proper error handling for file operations - Add command-line interface with argparse - Add type hints for better code safety
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #1551 +/- ##
==========================================
- Coverage 83.45% 83.08% -0.38%
==========================================
Files 22 22
Lines 7851 7843 -8
==========================================
- Hits 6552 6516 -36
- Misses 1299 1327 +28 🚀 New features to boost your workflow:
|
Author
|
@microsoft-github-policy-service agree |
Contributor
|
/azp run |
|
Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command. |
Contributor
|
@SajanGhimire1 Thanks for raising the PR for this fix, I would like you to please resolve the conflicts in this PR since now we will also be supporting PHP8.4 there are few changes in build script. |
Author
|
@microsoft-github-policy-service agree |
…DO build script - Replace os.system() with subprocess.run() for safer command execution - Add validation for PHP version, driver, architecture, and thread inputs - Fix indentation issues in remove_old_builds() and copy_binary() - Safely remove old builds and previous binaries - Ensure php.ini updates only append missing extensions - Add debug flags handling in config.w32 for debug builds - Update template.rc and CREDITS with correct driver names and versions - Cross-platform safe copying of source files and binaries - Improved logging and error handling during batch file execution
Contributor
|
@SajanGhimire1 I still see there is conflict in your file |
…xecution - Updated compiler detection logic to support PHP 8.x / 8.4 (VS17) - Replaced os.system calls with subprocess.run for safer execution - Added input validation for PHP version, architecture, driver, and thread options - Improved build cleanup and file handling to avoid unsafe deletions - Added platform guard to skip builds on unsupported systems - Refined build and copy logic to align with updated PHP SDK behavior
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…ript