Comments (7)
When I learned about invoke and run
, my first though was, "Can I pass command args as a list of strings as I can with subprocess.run
?" The documentation at https://docs.pyinvoke.org/en/stable/api/runners.html#invoke.runners.Runner.run didn't answer that for me, because it wasn't clear if the option of passing a list of args was possible but not mentioned, or not possible. I agree with #2 (comment) that
… it would be nice to update
run
’s documentation to reflect that escaping isn’t provided and mention the risks so users can make an educated decision.…This could just be a single sentence in http://docs.pyinvoke.org/en/stable/api/runners.html#invoke.runners.Runner.run, or mentioning the lack of escaping of the
command
parameter. Perhaps with a link back to this issue for further info.
If there was a way to vote for making the command parameter into *command, I'd be voting for it. I dislike invoking shells unless I really want to use the shell. And I like being protected from getting the shell's syntax or escaping wrong.
from invoke.
I'd absolutely love to use plumbum inside invoke. It's become my de-facto scripting "language" since I knew it.
Anyways, I think that being able to pass an argv list instead of a string is really needed, no matter the implementation.
from invoke.
Another angle on this is the use of tools like sh.py or plumbum, which attempt to bridge arbitrary shell string execution with Python-level function invocations. The latter can easily protect against injection style attacks because all the parameters/flags/values/etc are being handled independently and can be filtered/transformed before/while constructing the final string (or list/vector).
I'm not at all sure I want to pull in one of those or use it as the primary invocation style, but it should definitely be considered as an option.
And re: the SQL-style parameter substitution in this ticket's description, I'm on the fence as to whether that should be default or not. Being secure by default is a great idea, but it's unclear whether untrusted input is a big concern here - most users of eg Fabric and Makefiles are running their own commands or commands from an implicitly-trusted shared codebase.
from invoke.
Suggest making the issue title clearer. Something like,
Allow argc list for command in run(), like subprocess.run()
The existing title "Possible alternative, safer run() interpolation" doesn't mention "argc" or "list" or "command", which are the keywords that are most prominent in my mind. And "subprocess.run()" is now an obvious model for invoke to resemble. It wasn't there when this issue was opened, was it?
from invoke.
@pfmoore notes that this style of invocation (list-based instead of string-based) is also beneficial on some Windows platforms, see link to #312 above.
from invoke.
Seems there's a(n old) PR for this, #341 - linking for possible use when I get to this.
from invoke.
I see there are two PRs open to address this, #341 and the more recent #698. I’m not able to judge whether they are in any position to be approved and merged – in the meantime I think it would be nice to update run
’s documentation to reflect that escaping isn’t provided and mention the risks so users can make an educated decision.
This could just be a single sentence in http://docs.pyinvoke.org/en/stable/api/runners.html#invoke.runners.Runner.run, or mentioning the lack of escaping of the command
parameter. Perhaps with a link back to this issue for further info.
I’d be very happy to make that documentation PR, or do what I can to help get #341 / #698 merged, if someone more experienced with the project can provide guidance.
from invoke.
Related Issues (20)
- `add_collection()` is missing the `ModuleType` in the type-hints HOT 1
- How do I read the current output with asynchronous without waiting for the process to finish? HOT 1
- Regex support for MockContext is broken?
- `paramiko.ssh_exception.SSHException: Channel is not open` when chaining invoke tasks
- invoke 2.1.3 does not work when run inside bash
- 2.2.0: sphinx warnings `reference target not found`
- Document adding print-completion-script to venv
- MockContext does not honor "warn=False" which is the default behaviour
- Load project level configuration files earlier
- sdist is missing tox.ini
- `dev-requirements.txt` is missing `spec`
- Possible third option
- Autocomplete after `inv --help` doesn't work as expected
- Support for arm64 architecture? HOT 2
- clint issues and project seems abandoned HOT 2
- getargspec deprecated in Python 3.0 - now gone HOT 2
- loader.py: Wrong directory inserted into sys.path for modules HOT 1
- Change default shell without a config file or Context? HOT 3
- Task decorator removes docstring HOT 1
- Run tasks relative to `tasks.py` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from invoke.