From 35d3ac95c175c3ec5fe32cf2d1fb2492fbaf4a72 Mon Sep 17 00:00:00 2001
From: "datadog-agent-integrations-bot[bot]"
 <159767151+datadog-agent-integrations-bot[bot]@users.noreply.github.com>
Date: Wed, 21 Aug 2024 23:20:55 +0200
Subject: [PATCH] [Backport 7.57.x] Switch gunicorn to stdlib subprocess
 (#18387)

* Switch gunicorn to stdlib subprocess

* fix for mock to work

* add changelog

* remove extraneous changelog

* remove another extra changelog

* Correct arguments to subprocess.run, docs

(cherry picked from commit c33d1d650978a2c9e5a3c375ee13dfce1654a01a)

Co-authored-by: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
---
 gunicorn/changelog.d/18384.fixed             |  1 +
 gunicorn/datadog_checks/gunicorn/gunicorn.py | 15 +++++++++++++--
 gunicorn/hatch.toml                          |  4 ----
 gunicorn/tests/test_unit.py                  |  2 +-
 4 files changed, 15 insertions(+), 7 deletions(-)
 create mode 100644 gunicorn/changelog.d/18384.fixed

diff --git a/gunicorn/changelog.d/18384.fixed b/gunicorn/changelog.d/18384.fixed
new file mode 100644
index 0000000000000..cf40be0ca9b11
--- /dev/null
+++ b/gunicorn/changelog.d/18384.fixed
@@ -0,0 +1 @@
+Switch gunicorn to stdlib subprocess
diff --git a/gunicorn/datadog_checks/gunicorn/gunicorn.py b/gunicorn/datadog_checks/gunicorn/gunicorn.py
index b1d9b6c8ba47b..29ebb2002bc30 100644
--- a/gunicorn/datadog_checks/gunicorn/gunicorn.py
+++ b/gunicorn/datadog_checks/gunicorn/gunicorn.py
@@ -8,12 +8,23 @@
 http://gunicorn.org/
 """
 import re
+import subprocess
 import time
 
 import psutil
 
 from datadog_checks.base import AgentCheck
-from datadog_checks.base.utils.subprocess_output import get_subprocess_output
+
+
+def get_gunicorn_version(cmd):
+    """
+    Adapter around a subprocess call to gunicorn.
+    """
+    # Splitting cmd by whitespace is "Good Enough"(tm):
+    # - shex.split is not available on Windows
+    # - passing shell=True exposes us to shell injection vulnerabilities since we get cmd from user config
+    res = subprocess.run(cmd.split(), capture_output=True, text=True)
+    return res.stdout, res.stderr, res.returncode
 
 
 class GUnicornCheck(AgentCheck):
@@ -166,7 +177,7 @@ def _get_version(self):
         """Get version from `gunicorn --version`"""
         cmd = '{} --version'.format(self.gunicorn_cmd)
         try:
-            pc_out, pc_err, _ = get_subprocess_output(cmd, self.log, False)
+            pc_out, pc_err, _ = get_gunicorn_version(cmd)
         except OSError:
             self.log.debug("Error collecting gunicorn version.")
             return None
diff --git a/gunicorn/hatch.toml b/gunicorn/hatch.toml
index d350a366e13bb..d2fe13c38ff4b 100644
--- a/gunicorn/hatch.toml
+++ b/gunicorn/hatch.toml
@@ -1,9 +1,5 @@
 [env.collectors.datadog-checks]
 
-[[envs.default.matrix]]
-python = ["2.7"]
-version = ["19.9"]
-
 [[envs.default.matrix]]
 python = ["3.11"]
 version = ["19.9", "20.1"]
diff --git a/gunicorn/tests/test_unit.py b/gunicorn/tests/test_unit.py
index a7cf314e5ec55..2c69fcb78823d 100644
--- a/gunicorn/tests/test_unit.py
+++ b/gunicorn/tests/test_unit.py
@@ -18,7 +18,7 @@ def test_collect_metadata_parsing_matching(aggregator, datadog_agent, stdout, st
     check = GUnicornCheck(CHECK_NAME, {}, [INSTANCE])
     check.check_id = 'test:123'
 
-    with mock.patch('datadog_checks.gunicorn.gunicorn.get_subprocess_output', return_value=(stdout, stderr, 0)):
+    with mock.patch('datadog_checks.gunicorn.gunicorn.get_gunicorn_version', return_value=(stdout, stderr, 0)):
         check.check(INSTANCE)
 
     datadog_agent.assert_metadata_count(expect_metadata_count)