From e326252ee4af03b4514f20262b719bf0a9468161 Mon Sep 17 00:00:00 2001
From: Glenn Jocher <glenn.jocher@ultralytics.com>
Date: Thu, 9 Feb 2023 16:57:18 +0400
Subject: [PATCH] Security improvements (#10942)

* Security improvements

* Security improvements

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 utils/dataloaders.py |  2 +-
 utils/general.py     | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/utils/dataloaders.py b/utils/dataloaders.py
index cbb3114e9..02c2a79f5 100644
--- a/utils/dataloaders.py
+++ b/utils/dataloaders.py
@@ -52,7 +52,7 @@ for orientation in ExifTags.TAGS.keys():
 def get_hash(paths):
     # Returns a single hash value of a list of paths (files or dirs)
     size = sum(os.path.getsize(p) for p in paths if os.path.exists(p))  # sizes
-    h = hashlib.md5(str(size).encode())  # hash sizes
+    h = hashlib.sha256(str(size).encode())  # hash sizes
     h.update(''.join(paths).encode())  # hash paths
     return h.hexdigest()  # return hash
 
diff --git a/utils/general.py b/utils/general.py
index 0bbcb6e73..63cc29bfb 100644
--- a/utils/general.py
+++ b/utils/general.py
@@ -14,6 +14,7 @@ import platform
 import random
 import re
 import signal
+import subprocess
 import sys
 import time
 import urllib
@@ -551,7 +552,7 @@ def check_dataset(data, autodownload=True):
                 r = None  # success
             elif s.startswith('bash '):  # bash script
                 LOGGER.info(f'Running {s} ...')
-                r = os.system(s)
+                r = subprocess.run(s, shell=True)
             else:  # python script
                 r = exec(s, {'yaml': data})  # return None
             dt = f'({round(time.time() - t, 1)}s)'
@@ -648,9 +649,9 @@ def download(url, dir='.', unzip=True, delete=True, curl=False, threads=1, retry
             if is_zipfile(f):
                 unzip_file(f, dir)  # unzip
             elif is_tarfile(f):
-                os.system(f'tar xf {f} --directory {f.parent}')  # unzip
+                subprocess.run(f'tar xf {f} --directory {f.parent}', shell=True)  # unzip
             elif f.suffix == '.gz':
-                os.system(f'tar xfz {f} --directory {f.parent}')  # unzip
+                subprocess.run(f'tar xfz {f} --directory {f.parent}', shell=True)  # unzip
             if delete:
                 f.unlink()  # remove zip
 
@@ -1022,7 +1023,7 @@ def print_mutation(keys, results, hyp, save_dir, bucket, prefix=colorstr('evolve
     if bucket:
         url = f'gs://{bucket}/evolve.csv'
         if gsutil_getsize(url) > (evolve_csv.stat().st_size if evolve_csv.exists() else 0):
-            os.system(f'gsutil cp {url} {save_dir}')  # download evolve.csv if larger than local
+            subprocess.run(f'gsutil cp {url} {save_dir}', shell=True)  # download evolve.csv if larger than local
 
     # Log to evolve.csv
     s = '' if evolve_csv.exists() else (('%20s,' * n % keys).rstrip(',') + '\n')  # add header
@@ -1046,7 +1047,7 @@ def print_mutation(keys, results, hyp, save_dir, bucket, prefix=colorstr('evolve
                                                                                          for x in vals) + '\n\n')
 
     if bucket:
-        os.system(f'gsutil cp {evolve_csv} {evolve_yaml} gs://{bucket}')  # upload
+        subprocess.run(f'gsutil cp {evolve_csv} {evolve_yaml} gs://{bucket}', shell=True)  # upload
 
 
 def apply_classifier(x, model, img, im0):