[debug/undebug] replace shell=True (sonic-net#2662)

Signed-off-by: Mai Bui <maibui@microsoft.com>

#### What I did
`subprocess()` - when using with `shell=True` is dangerous. Using subprocess function without a static string can lead to command injection.
#### How I did it
`subprocess()` - use `shell=False` instead, use list of strings Ref: [https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation](https://semgrep.dev/docs/cheat-sheets/python-command-injection/#mitigation)
#### How to verify it
Manual test, execute all debug/undebug bgp/zebra commands
Add UT

Author: maipbui

debug/main.py

@@ -1,9 +1,13 @@
+import re
+import sys
 import click
 import subprocess
+from shlex import join
 
 def run_command(command, pager=False):
-    click.echo(click.style("Command: ", fg='cyan') + click.style(command, fg='green'))
-    p = subprocess.Popen(command, shell=True, text=True, stdout=subprocess.PIPE)
+    command_str = join(command)
+    click.echo(click.style("Command: ", fg='cyan') + click.style(command_str, fg='green'))
+    p = subprocess.Popen(command, text=True, stdout=subprocess.PIPE)
     output = p.stdout.read()
     if pager:
         click.echo_via_pager(output)
@@ -21,8 +25,8 @@ def cli():
     """SONiC command line - 'debug' command"""
     pass
 
-
-p = subprocess.check_output(["sudo vtysh -c 'show version'"], shell=True, text=True)
+prefix_pattern = '^[A-Za-z0-9.:/]*$'
+p = subprocess.check_output(['sudo', 'vtysh', '-c', 'show version'], text=True)
 if 'FRRouting' in p:
     #
     # 'bgp' group for FRR ###
@@ -35,89 +39,90 @@ def bgp():
     @bgp.command('allow-martians')
     def allow_martians():
         """BGP allow martian next hops"""
-        command = 'sudo vtysh -c "debug bgp allow-martians"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp allow-martians"]
         run_command(command)
 
     @bgp.command()
     @click.argument('additional', type=click.Choice(['segment']), required=False)
     def as4(additional):
         """BGP AS4 actions"""
-        command = 'sudo vtysh -c "debug bgp as4'
+        command = ['sudo', 'vtysh', '-c', "debug bgp as4"]
         if additional is not None:
-            command += " segment"
-        command += '"'
+            command[-1] += " segment"
         run_command(command)
 
     @bgp.command()
     @click.argument('prefix', required=True)
     def bestpath(prefix):
         """BGP bestpath"""
-        command = 'sudo vtysh -c "debug bgp bestpath %s"' % prefix
+        if not re.match(prefix_pattern, prefix):
+            sys.exit('Prefix contains only number, alphabet, period, colon, and forward slash')
+        command = ['sudo', 'vtysh', '-c', "debug bgp bestpath %s" % prefix]
         run_command(command)
 
     @bgp.command()
     @click.argument('prefix_or_iface', required=False)
     def keepalives(prefix_or_iface):
         """BGP Neighbor Keepalives"""
-        command = 'sudo vtysh -c "debug bgp keepalives'
+        command = ['sudo', 'vtysh', '-c', "debug bgp keepalives"]
         if prefix_or_iface is not None:
-            command += " " + prefix_or_iface
-        command += '"'
+            command[-1] += ' ' + prefix_or_iface
         run_command(command)
 
     @bgp.command('neighbor-events')
     @click.argument('prefix_or_iface', required=False)
     def neighbor_events(prefix_or_iface):
         """BGP Neighbor Events"""
-        command = 'sudo vtysh -c "debug bgp neighbor-events'
+        command = ['sudo', 'vtysh', '-c', "debug bgp neighbor-events"]
         if prefix_or_iface is not None:
-            command += " " + prefix_or_iface
-        command += '"'
+            command[-1] += ' ' + prefix_or_iface
         run_command(command)
 
     @bgp.command()
     def nht():
         """BGP nexthop tracking events"""
-        command = 'sudo vtysh -c "debug bgp nht"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp nht"]
         run_command(command)
 
     @bgp.command()
     @click.argument('additional', type=click.Choice(['error']), required=False)
     def pbr(additional):
         """BGP policy based routing"""
-        command = 'sudo vtysh -c "debug bgp pbr'
+        command = ['sudo', 'vtysh', '-c', "debug bgp pbr"]
         if additional is not None:
-            command += " error"
-        command += '"'
+            command[-1] += " error"
         run_command(command)
 
     @bgp.command('update-groups')
     def update_groups():
         """BGP update-groups"""
-        command = 'sudo vtysh -c "debug bgp update-groups"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp update-groups"]
         run_command(command)
 
     @bgp.command()
     @click.argument('direction', type=click.Choice(['in', 'out', 'prefix']), required=False)
     @click.argument('prefix', required=False)
     def updates(direction, prefix):
         """BGP updates"""
-        command = 'sudo vtysh -c "debug bgp updates'
+        bgp_cmd = "debug bgp updates"
         if direction is not None:
-            command += " " + direction
+            bgp_cmd += ' ' + direction
         if prefix is not None:
-            command += " " + prefix
-        command += '"'
+            if not re.match(prefix_pattern, prefix):
+                sys.exit('Prefix contains only number, alphabet, period, colon, and forward slash')
+            bgp_cmd += ' ' + prefix
+        command = ['sudo', 'vtysh', '-c', bgp_cmd]
         run_command(command)
 
     @bgp.command()
     @click.argument('prefix', required=False)
     def zebra(prefix):
         """BGP Zebra messages"""
-        command = 'sudo vtysh -c "debug bgp zebra'
+        command = ['sudo', 'vtysh', '-c', "debug bgp zebra"]
         if prefix is not None:
-            command += " prefix " + prefix
-        command += '"'
+            if not re.match(prefix_pattern, prefix):
+                sys.exit('Prefix contains only number, alphabet, period, colon, and forward slash')
+            command[-1] += " prefix " + prefix
         run_command(command)
 
     #
@@ -132,56 +137,54 @@ def zebra():
     @click.argument('detailed', type=click.Choice(['detailed']), required=False)
     def dplane(detailed):
         """Debug zebra dataplane events"""
-        command = 'sudo vtysh -c "debug zebra dplane'
+        command = ['sudo', 'vtysh', '-c', "debug zebra dplane"]
         if detailed is not None:
-            command += " detailed"
-        command += '"'
+            command[-1] += " detailed"
         run_command(command)
 
     @zebra.command()
     def events():
         """Debug option set for zebra events"""
-        command = 'sudo vtysh -c "debug zebra events"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra events"]
         run_command(command)
 
     @zebra.command()
     def fpm():
         """Debug zebra FPM events"""
-        command = 'sudo vtysh -c "debug zebra fpm"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra fpm"]
         run_command(command)
 
     @zebra.command()
     def kernel():
         """Debug option set for zebra between kernel interface"""
-        command = 'sudo vtysh -c "debug zebra kernel"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra kernel"]
         run_command(command)
 
     @zebra.command()
     def nht():
         """Debug option set for zebra next hop tracking"""
-        command = 'sudo vtysh -c "debug zebra nht"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra nht"]
         run_command(command)
 
     @zebra.command()
     def packet():
         """Debug option set for zebra packet"""
-        command = 'sudo vtysh -c "debug zebra packet"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra packet"]
         run_command(command)
 
     @zebra.command()
     @click.argument('detailed', type=click.Choice(['detailed']), required=False)
     def rib(detailed):
         """Debug RIB events"""
-        command = 'sudo vtysh -c "debug zebra rib'
+        command = ['sudo', 'vtysh', '-c', "debug zebra rib"]
         if detailed is not None:
-            command += " detailed"
-        command += '"'
+            command[-1] += " detailed"
         run_command(command)
 
     @zebra.command()
     def vxlan():
         """Debug option set for zebra VxLAN (EVPN)"""
-        command = 'sudo vtysh -c "debug zebra vxlan"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra vxlan"]
         run_command(command)
 
 else:
@@ -193,49 +196,49 @@ def vxlan():
     def bgp(ctx):
         """debug bgp on"""
         if ctx.invoked_subcommand is None:
-            command = 'sudo vtysh -c "debug bgp"'
+            command = ['sudo', 'vtysh', '-c', "debug bgp"]
             run_command(command)
 
     @bgp.command()
     def events():
         """debug bgp events on"""
-        command = 'sudo vtysh -c "debug bgp events"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp events"]
         run_command(command)
 
     @bgp.command()
     def updates():
         """debug bgp updates on"""
-        command = 'sudo vtysh -c "debug bgp updates"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp updates"]
         run_command(command)
 
     @bgp.command()
     def as4():
         """debug bgp as4 actions on"""
-        command = 'sudo vtysh -c "debug bgp as4"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp as4"]
         run_command(command)
 
     @bgp.command()
     def filters():
         """debug bgp filters on"""
-        command = 'sudo vtysh -c "debug bgp filters"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp filters"]
         run_command(command)
 
     @bgp.command()
     def fsm():
         """debug bgp finite state machine on"""
-        command = 'sudo vtysh -c "debug bgp fsm"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp fsm"]
         run_command(command)
 
     @bgp.command()
     def keepalives():
         """debug bgp keepalives on"""
-        command = 'sudo vtysh -c "debug bgp keepalives"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp keepalives"]
         run_command(command)
 
     @bgp.command()
     def zebra():
         """debug bgp zebra messages on"""
-        command = 'sudo vtysh -c "debug bgp zebra"'
+        command = ['sudo', 'vtysh', '-c', "debug bgp zebra"]
         run_command(command)
 
     #
@@ -248,32 +251,31 @@ def zebra():
 
     @zebra.command()
     def events():
-        """debug option set for zebra events"""
-        command = 'sudo vtysh -c "debug zebra events"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra events"]
         run_command(command)
 
     @zebra.command()
     def fpm():
         """debug zebra FPM events"""
-        command = 'sudo vtysh -c "debug zebra fpm"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra fpm"]
         run_command(command)
 
     @zebra.command()
     def kernel():
         """debug option set for zebra between kernel interface"""
-        command = 'sudo vtysh -c "debug zebra kernel"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra kernel"]
         run_command(command)
 
     @zebra.command()
     def packet():
         """debug option set for zebra packet"""
-        command = 'sudo vtysh -c "debug zebra packet"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra packet"]
         run_command(command)
 
     @zebra.command()
     def rib():
         """debug RIB events"""
-        command = 'sudo vtysh -c "debug zebra rib"'
+        command = ['sudo', 'vtysh', '-c', "debug zebra rib"]
         run_command(command)