cf81bd39a6
Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ife71148013d5f94ec5ae62633ff9a41f419bd3b7 Closes-Bug: #1634265
11 lines
1.2 KiB
Bash
Executable File
11 lines
1.2 KiB
Bash
Executable File
asset_file="$1"
|
|
#Chunk the yaml assets into begin_line_number,end_line_number sections
|
|
awk '{line+=1}/^ -/{end=line-1; if(start > 0){print start "," end}; count+=1;start=line;}END{print start "," line}' "$asset_file" | while read line; do
|
|
size=`echo $line | awk -F, '{print $2-$1+1}'`
|
|
end=`echo $line | awk -F, '{print $2}'`
|
|
name=`head -n $end "$asset_file" | tail -n $size | python -c 'import yaml,sys; print yaml.safe_load(sys.stdin)[0]["name"]'`
|
|
date=`git blame -w -L $line "$asset_file" | sed 's/^[^(]*(\([^)]*\)).*/\1/' | python -c 'import sys,dateutil.parser; print max([dateutil.parser.parse("%s %s%s"%(j[0], j[1], j[2])) for j in [i.split()[-4:] for i in sys.stdin.readlines()]])'`
|
|
#Dump out the name of the asset, and the last modified date as a json doc to stdout to be reassembled outside the loop into one document
|
|
(echo $name; echo $date) | python -c 'import sys,json; print json.dumps([i.strip() for i in sys.stdin.readlines()]),'
|
|
done | python -c 'import sys,json,yaml; print yaml.safe_dump({"assets":dict([[j[0], {"last_modified":j[1]}] for j in [json.loads(i) for i in sys.stdin.readlines()]])}),' #Assemble the individual json documents from the loop into one big one.
|