password-store: retrieve secret w/o shell

Do not use shell to retrieve a secret from password-store because (a) it's less secure, and (b) it's one extra executable invocation.
ikalnytskyi · May 7, 2024 · 2259ce9 · 2259ce9
1 parent 3a694f7
commit 2259ce9
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/httpie_credential_store/_keychain.py b/src/httpie_credential_store/_keychain.py
@@ -26,7 +26,7 @@ class ShellKeychain(KeychainProvider):
 
     def get(self, *, command):
         try:
-            return subprocess.check_output(command, shell=True).decode("UTF-8")
+            return subprocess.check_output(command, shell=True, text=True)
         except subprocess.CalledProcessError as exc:
             error_message = f"No secret found: {exc}"
             raise LookupError(error_message) from exc
@@ -41,9 +41,9 @@ def get(self, *, name):
         try:
             # password-store may store securely extra information along with a
             # password. Nevertheless, a password is always a first line.
-            text = super().get(command=f"pass {name}")
+            text = subprocess.check_output(["pass", name], text=True)
             return text.splitlines()[0]
-        except LookupError as exc:
+        except subprocess.CalledProcessError as exc:
             error_message = f"password-store: no secret found: '{name}'"
             raise LookupError(error_message) from exc