From 694b17d678d2aae711aa2904016284f9dffe8d2a Mon Sep 17 00:00:00 2001
From: James McMullan <jpmcmu@gmail.com>
Date: Wed, 3 Jul 2024 08:35:21 -0400
Subject: [PATCH] HPCC4J-620: Jirabot: Sanitize information coming from
 external sources

- Removed code that printed out untrusted information
- Modified curl command to use more secure subprocess module

Signed-off-by: James McMullan James.McMullan@lexisnexis.com
---
 .github/workflows/Jirabot.yml      | 6 ++----
 .github/workflows/JirabotMerge.yml | 1 -
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/Jirabot.yml b/.github/workflows/Jirabot.yml
index 3e779dcac..a6974fd2d 100644
--- a/.github/workflows/Jirabot.yml
+++ b/.github/workflows/Jirabot.yml
@@ -110,7 +110,6 @@ jobs:
             github_token = os.environ['GITHUB_TOKEN']
             comments_url = os.environ['COMMENTS_URL']
 
-            print("%s %s %s" % (title, prAuthor, comments_url))
             result = ''
             issuem = re.search("(HPCC4J|JAPI)-[0-9]+", title)
             if issuem:
@@ -132,7 +131,7 @@ jobs:
                 if userSearchResults and len(userSearchResults) > 0:
                     jiraUser = userSearchResults[0]
                 else:
-                    print('Error: Unable to find Jira user: ' + prAuthor + ' continuing without assigning')
+                    print('Error: Unable to map GitHub user to Jira user, continuing without assigning')
 
                 if not jira.issue_exists(issue_name):
                     sys.exit('Error: Unable to find Jira issue: ' + issue_name)
@@ -159,8 +158,7 @@ jobs:
                 # Escape the result for JSON
                 result = json.dumps(result)
 
-                curlCommand = 'curl -X POST %s -H "Content-Type: application/json" -H "Authorization: token %s" --data \'{ "body": %s }\'' % ( comments_url, github_token, result )
-                os.system(curlCommand)
+                subprocess.run(['curl', '-X', 'POST', comments_url, '-H', 'Content-Type: application/json', '-H', f'Authorization: token {github_token}', '--data', f'{{ "body": {result} }}'], check=True)
             else:
                 print('Unable to find Jira issue name in title')
 
diff --git a/.github/workflows/JirabotMerge.yml b/.github/workflows/JirabotMerge.yml
index 27f4cb449..772dc4fb9 100644
--- a/.github/workflows/JirabotMerge.yml
+++ b/.github/workflows/JirabotMerge.yml
@@ -202,7 +202,6 @@ jobs:
             branch_name = os.environ['BRANCH_NAME']
             comments_url = os.environ['COMMENTS_URL']
 
-            print("Attempting to close out Jira issue: %s %s %s" % (title, user, comments_url))
             result = ''
             issuem = re.search("(HPCC4J|JAPI)-[0-9]+", title)
             if issuem: