HPCC4J-620: Jirabot: Sanitize information coming from external sources

- Removed code that printed out untrusted information - Modified curl command to use more secure subprocess module Signed-off-by: James McMullan [email protected]
hpcc-systems · Jul 3, 2024 · 694b17d · 694b17d
1 parent d3181a4
commit 694b17d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 5 deletions.
diff --git a/.github/workflows/Jirabot.yml b/.github/workflows/Jirabot.yml
@@ -110,7 +110,6 @@ jobs:
             github_token = os.environ['GITHUB_TOKEN']
             comments_url = os.environ['COMMENTS_URL']
 
-            print("%s %s %s" % (title, prAuthor, comments_url))
             result = ''
             issuem = re.search("(HPCC4J|JAPI)-[0-9]+", title)
             if issuem:
@@ -132,7 +131,7 @@ jobs:
                 if userSearchResults and len(userSearchResults) > 0:
                     jiraUser = userSearchResults[0]
                 else:
-                    print('Error: Unable to find Jira user: ' + prAuthor + ' continuing without assigning')
+                    print('Error: Unable to map GitHub user to Jira user, continuing without assigning')
 
                 if not jira.issue_exists(issue_name):
                     sys.exit('Error: Unable to find Jira issue: ' + issue_name)
@@ -159,8 +158,7 @@ jobs:
                 # Escape the result for JSON
                 result = json.dumps(result)
 
-                curlCommand = 'curl -X POST %s -H "Content-Type: application/json" -H "Authorization: token %s" --data \'{ "body": %s }\'' % ( comments_url, github_token, result )
-                os.system(curlCommand)
+                subprocess.run(['curl', '-X', 'POST', comments_url, '-H', 'Content-Type: application/json', '-H', f'Authorization: token {github_token}', '--data', f'{{ "body": {result} }}'], check=True)
             else:
                 print('Unable to find Jira issue name in title')
 

diff --git a/.github/workflows/JirabotMerge.yml b/.github/workflows/JirabotMerge.yml
@@ -202,7 +202,6 @@ jobs:
             branch_name = os.environ['BRANCH_NAME']
             comments_url = os.environ['COMMENTS_URL']
 
-            print("Attempting to close out Jira issue: %s %s %s" % (title, user, comments_url))
             result = ''
             issuem = re.search("(HPCC4J|JAPI)-[0-9]+", title)
             if issuem: