1 files changed, 24 insertions, 5 deletions

diff --git a/generate_release.py b/generate_release.py
index 8bec3a0..5ee0a51 100644
--- a/generate_release.py
+++ b/generate_release.py
@@ -44,6 +44,10 @@ def remove_files_with_extensions(path, extensions):
 
 def download_if_not_exists(file_name, url, sha256=None):
     if not os.path.exists('./' + file_name):
+        # Reject non-https URLs so a mistaken constant cannot cause a
+        # plaintext download (bandit B310 hardening).
+        if not url.startswith('https://'):
+            raise Exception('Refusing to download over non-https URL: ' + url)
         log('Downloading ' + file_name + '..')
         data = urllib.request.urlopen(url).read()
         log('Finished downloading ' + file_name)
@@ -58,12 +62,14 @@ def download_if_not_exists(file_name, url, sha256=None):
         log('Using existing ' + file_name)
 
 def wine_run_shell(command):
+    # Keep argv-style invocation (no shell) to avoid command injection.
     if os.name == 'posix':
-        check(os.system('wine ' + command.replace('\\', '/')))
+        parts = ['wine'] + command.replace('\\', '/').split()
     elif os.name == 'nt':
-        check(os.system(command))
+        parts = command.split()
     else:
         raise Exception('Unsupported OS')
+    check(subprocess.run(parts).returncode)
 
 def wine_run(command_parts):
     if os.name == 'posix':
@@ -92,7 +98,20 @@ if os.path.exists('./yt-local'):
 # confused with working directory. I'm calling it the same thing so it will
 # have that name when extracted from the final release zip archive)
 log('Making copy of yt-local files')
-check(os.system('git archive --format tar master | 7z x -si -ttar -oyt-local'))
+# Avoid the shell: pipe `git archive` into 7z directly via subprocess.
+_git_archive = subprocess.Popen(
+    ['git', 'archive', '--format', 'tar', 'master'],
+    stdout=subprocess.PIPE,
+)
+_sevenz = subprocess.Popen(
+    ['7z', 'x', '-si', '-ttar', '-oyt-local'],
+    stdin=_git_archive.stdout,
+)
+_git_archive.stdout.close()
+_sevenz.wait()
+_git_archive.wait()
+check(_sevenz.returncode)
+check(_git_archive.returncode)
 
 if len(os.listdir('./yt-local')) == 0:
     raise Exception('Failed to copy yt-local files')
@@ -136,7 +155,7 @@ if os.path.exists('./python'):
 
 log('Extracting python distribution')
 
-check(os.system(r'7z -y x -opython ' + python_dist_name))
+check_subp(subprocess.run(['7z', '-y', 'x', '-opython', python_dist_name]))
 
 log('Executing get-pip.py')
 wine_run(['./python/python.exe', '-I', 'get-pip.py'])
@@ -241,7 +260,7 @@ if os.path.exists('./' + output_filename):
     log('Removing previous zipped release')
     os.remove('./' + output_filename)
 log('Zipping release')
-check(os.system(r'7z -mx=9 a ' + output_filename + ' ./yt-local'))
+check_subp(subprocess.run(['7z', '-mx=9', 'a', output_filename, './yt-local']))
 
 print('\n')
 log('Finished')