Skip to content

fix: security and reliability improvements#322

Open
ianhandy wants to merge 271 commits into
extrabacon:masterfrom
ianhandy:maintainer-improvements
Open

fix: security and reliability improvements#322
ianhandy wants to merge 271 commits into
extrabacon:masterfrom
ianhandy:maintainer-improvements

Conversation

@ianhandy
Copy link
Copy Markdown

@ianhandy ianhandy commented Mar 16, 2026

Summary

I'm interested in helping maintain this project (ref #290). This PR demonstrates the kind of improvements I'd bring:

  • Fix runString() temp path bugtmpdir was used as a reference instead of tmpdir(), writing temp files to the wrong location (fixes the issue in Fix runString temp path to use tmpdir() and add regression test #320)
  • Fix command injection vulnerabilitycheckSyntaxFile, getVersion, and getVersionSync used exec() with string interpolation, which is unsafe. Replaced with execFile() which passes args as an array
  • Add temp file cleanuprunString() and checkSyntax() now clean up their temp .py files via .finally()
  • Modernize internals — replaced custom extend() helper with Object.assign, updated minimum Node.js from 0.10 to 16
  • Re-enable getVersion tests — these were disabled since getVersionSync test fails in appveyor #158 (AppVeyor-era). They pass on all platforms now
  • Add GitHub Actions CI — matrix testing across Node 18/20/22, Python 3.10/3.12, on Ubuntu/macOS/Windows

All 45 tests passing (43 existing + 2 re-enabled).

Test plan

  • All existing tests pass
  • getVersion/getVersionSync tests re-enabled and passing
  • Verified temp file cleanup works
  • TypeScript compiles cleanly

brucedjones and others added 30 commits January 26, 2018 13:18
@brucedjones
Fixed bugs and updated tests. All tests should now pass.
25226f0
@brucedjones
Merge pull request extrabacon#79 from brucedjones/master
93c197f 
terminate() function
@Almenon
extrabacon#106 CI tests
5571f0f
@Almenon
extrabacon#106 renaming correctly
0127e29
@Almenon
adding default python gitignore
0496bff
@Almenon
extrabacon#106 added appveyor reporter
963148c
@Almenon
extrabacon#107 fixing failing unit tests on windows
3edf595
@Almenon
extrabacon#108 fixing unit tests on python 3
3c97979
@Almenon
upgraded mocha to try to avoid appveyor error
ae175db
@Almenon
fixed extrabacon#109 hardcoded newlines
120d7d9
@Almenon
extrabacon#108 making unit tests p3 compatible
f5d799a
@Almenon
extrabacon#106 adding appveyor badge
8a17480
@Almenon
version bump
7b39d81
@Almenon
Merge branch 'master' of https://github.com/extrabacon/python-shell
f15844a
@Almenon
fixed extrabacon#85 adding explanation for -u
08e71f3
use python3 binary on unix systems
93bb555
@Almenon
Merge pull request extrabacon#133 from CADBOT/python3-fix
8bd4170 
use python3 binary on unix systems
@Almenon
extrabacon#134 converting index to typescript
4cc387a
@Almenon
Merge branch 'master' of https://github.com/extrabacon/python-shell
4d8c6b7
@Almenon
extrabacon#134 doing a final touch-up on some missing types
78c8bf7
@Almenon
fixed stdin/stdout types, made certain params optional, fixed export
2972c61
@Almenon
converting unit tests to typescript extrabacon#134
808719b
@Almenon
renamed script to scriptPath to avoid confusion and got rid of unnece…
08572b0 
…ssary code in run
@Almenon
extrabacon#138 adding functions to check python syntax
c187580
@Almenon
extrabacon#135 added ability to run a python string
5f282e7
@Almenon
extrabacon#130 fixing stderr causing python-shell to emit error
1f24498
@Almenon
extrabacon#130 added recieveStderr function
53a9b9e
@Almenon
forgot to put compile before appveyorTest
2e5b413
@Almenon
spaces > tabs 🗡️
28c61fa
@Almenon
Merge branch 'master' of https://github.com/extrabacon/python-shell
07fd397
Almenon and others added 25 commits February 10, 2023 21:43
@Almenon
Merge pull request extrabacon#282 from extrabacon/test_pr
b03631d 
v5 release
@DawChihLiou
Update example in README.md
705c902
@Almenon
Merge pull request extrabacon#298 from DawChihLiou/fix-example-readme
38ebced 
Update example in README.md
@Almenon
update node&python version
a5a4492
@Almenon
Merge pull request extrabacon#304 from extrabacon/update_node_version
4322298 
update node&python version
@Almenon
Remove bad -u
527d5a3 
No point in -u here because we are getting the print results at the end of the program
@Almenon
Merge pull request extrabacon#307 from extrabacon/Fix-u
0f835c0 
Remove bad -u
@dependabot
Bump hawk and request-json
4016151 
Removes [hawk](https://github.com/mozilla/hawk). It's no longer used after updating ancestor dependency [request-json](https://github.com/hackervents/request-json). These dependencies need to be updated together.


Removes `hawk`

Updates `request-json` from 0.6.3 to 0.6.5
- [Release notes](https://github.com/hackervents/request-json/releases)
- [Commits](https://github.com/hackervents/request-json/commits)

---
updated-dependencies:
- dependency-name: hawk
  dependency-type: indirect
- dependency-name: request-json
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@Almenon
Merge pull request extrabacon#284 from extrabacon/dependabot/npm_and_…
6f44f57 
…yarn/hawk-and-request-json--removed

Bump hawk and request-json
@Almenon
remove unnecessary comment
4345268
@Almenon
upgrade deps
183fa33
@Almenon
upgrade deps
6db3dbd
@Almenon
Merge pull request extrabacon#314 from extrabacon/upgrade_Deps
63fb246 
upgrade deps
@Almenon
remove mocha-appveyor-reporter
a1e1fc4
@Almenon
5.0.1
be055a8
@Almenon
5.0.2
31b3f29
@Almenon
fix err
77a9693
@nurazon59
feat: add format
5a262c2
@Almenon
Merge pull request extrabacon#316 from nurazon59/feat/add-formatter
a31a6f3 
feat: add format
@Almenon
remove unnecessary config
823ef1b 
already the default
@Almenon
ignore autogenerated file
0442335
@nurazon59
ci(appveyor): add Node.js 22 to test matrix
036d5c4
@Almenon
Update appveyor.yml
cbd3777
@Almenon
Merge pull request extrabacon#319 from nurazon59/nurazon59/ci/add-nod…
0cde240 
…e-22-test

ci(appveyor): add Node.js 22 to test matrix
@ianhandy
fix: security and reliability improvements for maintainership
2feabe6 
- Fix runString() using tmpdir reference instead of tmpdir() call (fixes extrabacon#320)
- Replace exec() with execFile() to prevent command injection in
  checkSyntaxFile, getVersion, and getVersionSync
- Add temp file cleanup in runString() and checkSyntax() via .finally()
- Replace custom extend() with Object.assign
- Re-enable getVersion/getVersionSync tests (were disabled since extrabacon#158)
- Add GitHub Actions CI matrix (Node 18/20/22, Python 3.10/3.12, 3 OSes)
- Update minimum Node.js engine from 0.10 to 16
@ianhandy ianhandy mentioned this pull request Mar 16, 2026
Open
@ianhandy ianhandy force-pushed the maintainer-improvements branch from f206f6c to 2feabe6 Compare March 16, 2026 02:43
@StantonMatt
Copy link
Copy Markdown

StantonMatt commented Jun 2, 2026

I took a triage pass on this because it is tied to #290. I don't think this is reviewable as one PR in its current shape: GitHub reports it as conflicting, and the diff combines several unrelated tracks: issue templates, GitHub Actions, AppVeyor, TypeScript conversion (index.js / test/test-python-shell.js removed and index.ts / test/test-python-shell.ts added), a package-lock replacement, README/changelog updates, temp-file cleanup, execFile hardening, and the runString() tmpdir fix.

The pieces that look easiest to make reviewable are the security/bug fixes split one at a time with focused tests:

  • exec -> execFile for checkSyntaxFile, getVersion, and getVersionSync
  • temp-file cleanup for runString() / checkSyntax()
  • GitHub Actions CI as its own PR

The runString() tmpdir part is now covered separately by #330, so I would drop that from this branch to avoid overlap. I did not run local tests against this branch because the merge conflicts need to be resolved first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.