Skip to content

Commit e6e32d0

Browse files
reactive-firewallreactive-firewall
committed
[SECURITY] Possible fix for CWE-78 (- WIP #197 -)
Changes in file tests/check_pip: * refactored function check_license_when_given_req to mitigate CWE-77 * refactored function check_license_when_given_req to mitigate CWE-78
1 parent 5209fb8 commit e6e32d0

File tree

1 file changed

+16
-1
lines changed

1 file changed

+16
-1
lines changed

tests/check_pip

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,21 @@
6060
# even if the above stated remedy fails of its essential purpose.
6161
################################################################################
6262
#
63+
# ---
64+
# ### Security Advisory: Command Injection Risk in `tests/check_pip`
65+
#
66+
# When using the `tests/check_pip` script, be aware of a potential command injection vulnerability arising from module names containing special characters or leading hyphens (e.g., `-v`). The script has been updated to properly handle such module names by:
67+
#
68+
# - Using `--` in `grep` commands to prevent interpreting module names as options.
69+
# - Ensuring all inputs are correctly sanitized and special characters are handled safely.
70+
#
71+
# **Recommendations for Developers:**
72+
#
73+
# - **Validation:** Always ensure that variables used in shell commands are properly handled to avoid being misinterpreted as options or commands.
74+
# - **Updates:** Pull the latest changes from the repository to incorporate the security fixes in `tests/check_pip`.
75+
# - **Testing:** Incorporate static code analysis tools to detect similar vulnerabilities in the future.
76+
# ---
77+
#
6378
# check_pip: Audit and validate Python requirements files.
6479
# This, best-effort, script audits and validates Python requirements
6580
# files using tools like pip-audit and pip-licenses.
@@ -276,7 +291,7 @@ function check_license_when_given_req() {
276291
# Install the given Python modules using pip
277292
for module in $@ ; do
278293
printf "::debug::%s\n" "Checking license from package '${module}' ..." ;
279-
REQ_SPEC=$(grep -F "${module}" <(cat <"${_TEST_ROOT_DIR}"/$req_file | sed -E -e '/^[[:space:]]*$/d' | sed -E -e '/^[#]+.*$/d') | grep -m1 -F "$module" )
294+
REQ_SPEC=$(grep -F -- "${module}" <(cat <"${_TEST_ROOT_DIR}"/$req_file | sed -E -e '/^[[:space:]]*$/d' | sed -E -e '/^[#]+.*$/d') | grep -m1 -F -- "${module}" )
280295
ERR_MSG="pip install '$module' failed for $req_file." ;
281296
if [[ ("${SUB_CODE}" -eq 0) ]] && python3 -m pip install $PIP_COMMON_FLAGS $PIP_ENV_FLAGS "${REQ_SPEC};" 2>/dev/null ;
282297
then

0 commit comments

Comments
 (0)