2 files changed, 44 insertions, 40 deletions

diff --git a/youtube/get_app_version/__init__.py b/youtube/get_app_version/__init__.py
index 2d5290f..665b7b5 100644
--- a/youtube/get_app_version/__init__.py
+++ b/youtube/get_app_version/__init__.py
@@ -1 +1,3 @@
-from .get_app_version import *
+from .get_app_version import app_version
+
+__all__ = ['app_version']
diff --git a/youtube/get_app_version/get_app_version.py b/youtube/get_app_version/get_app_version.py
index 51eb2ce..aa87623 100644
--- a/youtube/get_app_version/get_app_version.py
+++ b/youtube/get_app_version/get_app_version.py
@@ -1,54 +1,56 @@
 from __future__ import unicode_literals
-from subprocess import (
-    call,
-    STDOUT
-)
-from ..version import __version__
 import os
+import shutil
 import subprocess
 
+from ..version import __version__
+
 
 def app_version():
     def minimal_env_cmd(cmd):
         # make minimal environment
-        env = {}
-        for k in ['SYSTEMROOT', 'PATH']:
-            v = os.environ.get(k)
-            if v is not None:
-                env[k] = v
-
-        env['LANGUAGE'] = 'C'
-        env['LANG'] = 'C'
-        env['LC_ALL'] = 'C'
-        out = subprocess.Popen(
-            cmd, stdout=subprocess.PIPE, env=env).communicate()[0]
+        env = {k: os.environ[k] for k in ['SYSTEMROOT', 'PATH'] if k in os.environ}
+        env.update({'LANGUAGE': 'C', 'LANG': 'C', 'LC_ALL': 'C'})
+        out = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=env).communicate()[0]
         return out
 
-    if call(["git", "branch"], stderr=STDOUT,
-            stdout=open(os.devnull, 'w')) != 0:
-
-        subst_list = {
-            "version": __version__,
-            "branch": None,
-            "commit": None
-        }
-
-    else:
-        # version
-        describe = minimal_env_cmd(["git", "describe", "--always"])
-        git_revision = describe.strip().decode('ascii')
-        # branch
-        branch = minimal_env_cmd(["git", "branch"])
-        git_branch = branch.strip().decode('ascii').replace('* ', '')
-
-        subst_list = {
-            "version": __version__,
-            "branch": git_branch,
-            "commit": git_revision
-        }
+    subst_list = {
+        'version': __version__,
+        'branch': None,
+        'commit': None,
+    }
+
+    # Use shutil.which instead of `command -v`/os.system so we don't spawn a
+    # shell (CWE-78 hardening) and so it works cross-platform.
+    if shutil.which('git') is None:
+        return subst_list
+
+    try:
+        # Check we are inside a git work tree. Using DEVNULL avoids the
+        # file-handle leak from `open(os.devnull, 'w')`.
+        rc = subprocess.call(
+            ['git', 'branch'],
+            stderr=subprocess.DEVNULL,
+            stdout=subprocess.DEVNULL,
+        )
+    except OSError:
+        return subst_list
+    if rc != 0:
+        return subst_list
+
+    describe = minimal_env_cmd(['git', 'describe', '--tags', '--always'])
+    git_revision = describe.strip().decode('ascii')
+
+    branch = minimal_env_cmd(['git', 'branch', '--show-current'])
+    git_branch = branch.strip().decode('ascii')
+
+    subst_list.update({
+        'branch': git_branch,
+        'commit': git_revision,
+    })
 
     return subst_list
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     app_version()