nyx/tests/fixtures/mixed_project/utils.py

import os
import subprocess
import shlex

# Infrastructure provisioning tool — Python automation scripts.
# Handles configuration management and deployment automation.

# ───── Configuration management ─────

def sync_config():
    """Syncs configuration from a remote source.
    VULN: os.getenv flows into subprocess.run (command injection)
    """
    remote = os.getenv("CONFIG_REMOTE_URL")
    local_dir = os.getenv("CONFIG_LOCAL_DIR")
    subprocess.run(["rsync", "-avz", remote, local_dir])

def apply_ansible_playbook():
    """Runs an Ansible playbook from env-configured path.
    VULN: os.getenv flows into subprocess.Popen (command injection)
    """
    playbook = os.getenv("ANSIBLE_PLAYBOOK")
    inventory = os.getenv("ANSIBLE_INVENTORY")
    proc = subprocess.Popen(
        ["ansible-playbook", "-i", inventory, playbook],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
    )
    stdout, stderr = proc.communicate()
    if proc.returncode != 0:
        raise RuntimeError(f"Playbook failed: {stderr.decode()}")
    return stdout.decode()

# ───── Secret management ─────

def rotate_secrets():
    """Rotates secrets by calling a vault CLI.
    VULN: os.getenv flows into os.system (command injection)
    """
    vault_addr = os.getenv("VAULT_ADDR")
    vault_token = os.getenv("VAULT_TOKEN")
    os.system(f"vault write -address={vault_addr} secret/app/key value=rotated")

def inject_secrets():
    """Injects secrets into the environment from vault.
    VULN: os.getenv flows into eval (code injection via env)
    """
    secret_loader = os.getenv("SECRET_LOADER_EXPR")
    secrets = eval(secret_loader)
    return secrets

# ───── Monitoring ─────

def check_service_health():
    """Checks health of all configured services.
    VULN: os.getenv flows into subprocess.call
    """
    services = os.getenv("MONITORED_SERVICES", "").split(",")
    for svc in services:
        subprocess.call(["curl", "-sf", f"http://{svc}/health"])

# ───── Safe patterns ─────

def safe_exec():
    """SAFE: shlex.quote properly sanitizes before shell use."""
    user_path = os.getenv("USER_PATH")
    safe_path = shlex.quote(user_path)
    subprocess.run(f"ls -la {safe_path}", shell=True, capture_output=True)
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`import os`
			`import subprocess`
			`import shlex`

			`# Infrastructure provisioning tool — Python automation scripts.`
			`# Handles configuration management and deployment automation.`

			`# ───── Configuration management ─────`

			`def sync_config():`
			`"""Syncs configuration from a remote source.`
			`VULN: os.getenv flows into subprocess.run (command injection)`
			`"""`
			`remote = os.getenv("CONFIG_REMOTE_URL")`
			`local_dir = os.getenv("CONFIG_LOCAL_DIR")`
			`subprocess.run(["rsync", "-avz", remote, local_dir])`

			`def apply_ansible_playbook():`
			`"""Runs an Ansible playbook from env-configured path.`
			`VULN: os.getenv flows into subprocess.Popen (command injection)`
			`"""`
			`playbook = os.getenv("ANSIBLE_PLAYBOOK")`
			`inventory = os.getenv("ANSIBLE_INVENTORY")`
			`proc = subprocess.Popen(`
			`["ansible-playbook", "-i", inventory, playbook],`
			`stdout=subprocess.PIPE,`
			`stderr=subprocess.PIPE,`
			`)`
			`stdout, stderr = proc.communicate()`
			`if proc.returncode != 0:`
			`raise RuntimeError(f"Playbook failed: {stderr.decode()}")`
			`return stdout.decode()`

			`# ───── Secret management ─────`

			`def rotate_secrets():`
			`"""Rotates secrets by calling a vault CLI.`
			`VULN: os.getenv flows into os.system (command injection)`
			`"""`
			`vault_addr = os.getenv("VAULT_ADDR")`
			`vault_token = os.getenv("VAULT_TOKEN")`
			`os.system(f"vault write -address={vault_addr} secret/app/key value=rotated")`

			`def inject_secrets():`
			`"""Injects secrets into the environment from vault.`
			`VULN: os.getenv flows into eval (code injection via env)`
			`"""`
			`secret_loader = os.getenv("SECRET_LOADER_EXPR")`
			`secrets = eval(secret_loader)`
			`return secrets`

			`# ───── Monitoring ─────`

			`def check_service_health():`
			`"""Checks health of all configured services.`
			`VULN: os.getenv flows into subprocess.call`
			`"""`
			`services = os.getenv("MONITORED_SERVICES", "").split(",")`
			`for svc in services:`
			`subprocess.call(["curl", "-sf", f"http://{svc}/health"])`

			`# ───── Safe patterns ─────`

			`def safe_exec():`
			`"""SAFE: shlex.quote properly sanitizes before shell use."""`
			`user_path = os.getenv("USER_PATH")`
			`safe_path = shlex.quote(user_path)`
			`subprocess.run(f"ls -la {safe_path}", shell=True, capture_output=True)`