Re: [PR] sdks/python/scripts: fix posargs for `run_pytest.sh` [beam]

Tue, 29 Jul 2025 20:50:12 -0700 


gemini-code-assist[bot] commented on code in PR #35733:
URL: https://github.com/apache/beam/pull/35733#discussion_r2241466243


##########
sdks/python/scripts/run_pytest.sh:
##########
@@ -62,16 +81,60 @@ if [[ -n $user_marker ]]; then
   marker_for_sequential_tests="($user_marker) and 
($marker_for_sequential_tests)"
 fi
 
+# Parse posargs to separate pytest options from test paths.
+options=""
+test_paths=""
+
+# Safely split the posargs string into individual arguments.
+eval "set -- $posargs"

Review Comment:
   I understand your request for an alternative that "fits nicely" within the 
existing script structure while addressing the `critical` command injection 
vulnerability. The use of `eval` with user-controlled input like `$posargs` is 
inherently unsafe, as it allows arbitrary command execution if a malicious 
string is passed.
   
   To safely parse the arguments, respecting quotes, without using `eval`, you 
can implement a manual parsing loop. This approach is more verbose but provides 
a robust and secure way to handle the argument splitting.
   
   This code snippet replaces the `eval` call with a manual parser that 
correctly handles arguments enclosed in single or double quotes, ensuring that 
the script remains secure against command injection.
   
   ```suggestion
   parsed_args=()
   current_arg=""
   in_quote='' # Can be '', "'", or '"'
   
   for (( i=0; i<${#posargs}; i++ )); do
     char="${posargs:$i:1}"
   
     if [[ "$in_quote" == '' ]]; then
       if [[ "$char" == "'" || "$char" == "\"" ]]; then
         in_quote="$char"
       elif [[ "$char" == " " ]]; then
         # Add current_arg to parsed_args if not empty
         if [[ -n "$current_arg" ]]; then
           parsed_args+=("$current_arg")
           current_arg=""
         fi
       else
         current_arg+="$char"
       fi
     else # Inside a quote
       if [[ "$char" == "$in_quote" ]]; then
         in_quote='' # End of quote
       else
         current_arg+="$char"
       fi
     fi
   done
   
   # Add the last argument if it's not empty
   if [[ -n "$current_arg" ]]; then
     parsed_args+=("$current_arg")
   fi
   
   set -- "${parsed_args[@]}"
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to