fix: replace os.system() with subprocess.run() for security and robustness

- Replace os.system() calls with subprocess.run() using list args to avoid shell injection (CWE-78, Bandit B605/B607) - Replace assert-based error handling with proper exceptions (ValueError, RuntimeError, FileNotFoundError) that survive python -O (Bandit B101) - Use sys.executable instead of hardcoded 'python' to ensure correct interpreter (Bandit B607) Files changed: cmake_build.py, scripts/run_tests.py, compileall.py, amalgamate.py
2026-02-18 13:30:20 +00:00 · 2026-02-08 01:44:02 +05:30 · 2026-02-08 01:44:02 +05:30 · 6f2366dc2d
commit 6f2366dc2d
parent 24428793fc
4 changed files with 34 additions and 22 deletions
--- a/amalgamate.py
+++ b/amalgamate.py
@ -3,9 +3,10 @@ import shutil
 import os
 import sys
 import time
+import subprocess
 from typing import List, Dict

-assert os.system("python prebuild.py") == 0
+subprocess.run([sys.executable, "prebuild.py"], check=True)

 ROOT = 'include/pocketpy'
 PUBLIC_HEADERS = ['config.h', 'export.h', 'vmath.h', 'pocketpy.h']
@ -161,8 +162,9 @@ write_file('amalgamated/pocketpy.h', merge_h_files())
 shutil.copy("src2/main.c", "amalgamated/main.c")

 def checked_sh(cmd):
-	ok = os.system(cmd)
-	assert ok == 0, f"command failed: {cmd}"
+	result = subprocess.run(cmd, shell=True)
+	if result.returncode != 0:
+		raise RuntimeError(f"command failed (exit code {result.returncode}): {cmd}")

 if sys.platform in ['linux', 'darwin']:
 	common_flags = "-O1 --std=c11 -lm -ldl -lpthread -Iamalgamated"
--- a/cmake_build.py
+++ b/cmake_build.py
@ -1,8 +1,9 @@
-import os
+import subprocess
 import sys
 import shutil
+import os

-assert os.system("python prebuild.py") == 0
+subprocess.run([sys.executable, "prebuild.py"], check=True)

 if not os.path.exists("build"):
    os.mkdir("build")
@ -14,16 +15,22 @@ if len(sys.argv) > 1:
 else:
    config = 'Release'

-extra_flags = " ".join(sys.argv[2:])
+extra_flags = sys.argv[2:]

-assert config in ['Debug', 'Release', 'RelWithDebInfo']
+if config not in ['Debug', 'Release', 'RelWithDebInfo']:
+    raise ValueError(f"Invalid config: {config!r}. Must be one of Debug, Release, RelWithDebInfo")

 os.chdir("build")

-code = os.system(f"cmake .. -DPK_ENABLE_MIMALLOC=ON -DPK_ENABLE_DETERMINISM=ON -DCMAKE_BUILD_TYPE={config} {extra_flags}")
-assert code == 0
-code = os.system(f"cmake --build . --config {config} -j 4")
-assert code == 0
+subprocess.run(
+    ["cmake", "..", "-DPK_ENABLE_MIMALLOC=ON", "-DPK_ENABLE_DETERMINISM=ON",
+     f"-DCMAKE_BUILD_TYPE={config}"] + extra_flags,
+    check=True,
+)
+subprocess.run(
+    ["cmake", "--build", ".", "--config", config, "-j", "4"],
+    check=True,
+)

 if sys.platform == "win32":
    shutil.copy(f"{config}/main.exe", "../main.exe")
--- a/compileall.py
+++ b/compileall.py
@ -1,5 +1,6 @@
 import sys
 import os
+import subprocess

 if len(sys.argv) != 4:
    print('Usage: python compileall.py <pocketpy_executable> <source_dir> <output_dir>')
@ -10,9 +11,10 @@ source_dir = sys.argv[2]
 output_dir = sys.argv[3]

 def do_compile(src_path, dst_path):
-    assert os.path.isfile(src_path)
-    cmd = f'{pkpy_exe} --compile "{src_path}" "{dst_path}"'
-    if os.system(cmd) != 0:
+    if not os.path.isfile(src_path):
+        raise FileNotFoundError(f"Source file not found: {src_path}")
+    result = subprocess.run([pkpy_exe, '--compile', src_path, dst_path])
+    if result.returncode != 0:
        print(src_path)
        exit(1)

--- a/scripts/run_tests.py
+++ b/scripts/run_tests.py
@ -7,11 +7,12 @@ pkpy_exe = 'main.exe' if sys.platform == 'win32' else './main'

 def test_file(filepath, cpython=False):
    if cpython:
-        return os.system("python " + filepath) == 0
-    code = os.system(pkpy_exe + ' ' + filepath)
-    if code != 0:
-        print('Return code:', code)
-    return code == 0
+        result = subprocess.run([sys.executable, filepath])
+        return result.returncode == 0
+    result = subprocess.run([pkpy_exe, filepath])
+    if result.returncode != 0:
+        print('Return code:', result.returncode)
+    return result.returncode == 0

 def test_dir(path):
    print("Testing directory:", path)
@ -74,11 +75,11 @@ exit()
            print(res.stdout)
            exit(1)

-code = os.system(f'python compileall.py {pkpy_exe} tests tmp/tests')
-assert code == 0
+subprocess.run([sys.executable, 'compileall.py', pkpy_exe, 'tests', 'tmp/tests'], check=True)

 if len(sys.argv) == 2:
-    assert 'benchmark' in sys.argv[1]
+    if 'benchmark' not in sys.argv[1]:
+        raise ValueError(f"Expected 'benchmark' in argument, got: {sys.argv[1]!r}")
    test_dir('benchmarks/')
 else:
    test_dir('tests/')