1 files changed, 25 insertions, 16 deletions

diff --git a/youtube/get_app_version/get_app_version.py b/youtube/get_app_version/get_app_version.py
index 4995bb7..a73b857 100644
--- a/youtube/get_app_version/get_app_version.py
+++ b/youtube/get_app_version/get_app_version.py
@@ -1,47 +1,56 @@
 from __future__ import unicode_literals
-from subprocess import (
-    call,
-    STDOUT
-)
-from ..version import __version__
 import os
+import shutil
 import subprocess
 
+from ..version import __version__
+
 
 def app_version():
     def minimal_env_cmd(cmd):
         # make minimal environment
         env = {k: os.environ[k] for k in ['SYSTEMROOT', 'PATH'] if k in os.environ}
         env.update({'LANGUAGE': 'C', 'LANG': 'C', 'LC_ALL': 'C'})
-
         out = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=env).communicate()[0]
         return out
 
     subst_list = {
-        "version": __version__,
-        "branch": None,
-        "commit": None
+        'version': __version__,
+        'branch': None,
+        'commit': None,
     }
 
-    if os.system("command -v git > /dev/null 2>&1") != 0:
+    # Use shutil.which instead of `command -v`/os.system so we don't spawn a
+    # shell (CWE-78 hardening) and so it works cross-platform.
+    if shutil.which('git') is None:
         return subst_list
 
-    if call(["git", "branch"], stderr=STDOUT, stdout=open(os.devnull, 'w')) != 0:
+    try:
+        # Check we are inside a git work tree. Using DEVNULL avoids the
+        # file-handle leak from `open(os.devnull, 'w')`.
+        rc = subprocess.call(
+            ['git', 'branch'],
+            stderr=subprocess.DEVNULL,
+            stdout=subprocess.DEVNULL,
+        )
+    except OSError:
+        return subst_list
+    if rc != 0:
         return subst_list
 
-    describe = minimal_env_cmd(["git", "describe", "--tags", "--always"])
+    describe = minimal_env_cmd(['git', 'describe', '--tags', '--always'])
     git_revision = describe.strip().decode('ascii')
 
-    branch = minimal_env_cmd(["git", "branch"])
+    branch = minimal_env_cmd(['git', 'branch'])
     git_branch = branch.strip().decode('ascii').replace('* ', '')
 
     subst_list.update({
-        "branch": git_branch,
-        "commit": git_revision
+        'branch': git_branch,
+        'commit': git_revision,
     })
 
     return subst_list
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     app_version()