Fix code injection in extension_utils.py

[ready-research]

PR types

Bug fixes

PR changes

OPs

Description

This uses shlex for safe command parsing to fix arbitrary code injection. This fixes the arbitrary code execution vulnerability using python stdlib tool shlex, which escapes the characters in the text and makes sure that any parsing does not happen inside a shell. Just like other fix for _wget_download

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[ehtec]

People you are doing this wrong, you can't fix this issue like that. There is nothing you can do inside run_cmd function to fix the security problem. The shlex.quote needs to be used on user supplied input in all other functions calling run_cmd. Putting quotes around the whole command will solve nothing, it will just put quotes around the whole command and thus break the application, as you can see in the CI pipeline.

[ready-research]

@ehtec @wanghuancoder Can you please review this? or suggest a way to fix this issue. Thanks.

I am not sure about check failures.

[wanghuancoder]

目前单测中用到了shell=True这种场景。如果要删掉shell=True。可以对command做一下字符串处理，将command split成多个参数。

[ready-research]

@wanghuancoder #61285 is fixing this issue?

[paddle-ci-bot]

Sorry to inform you that 2c308c0's CIs have passed for more than 7 days. To prevent PR conflicts, you need to re-run all CIs manually.