Security Hardening: Quoting Patterns and Stripping Special Characters in check_pip

[coderabbitai]

Summary of Discussion

We need to reduce the risk of unintended shell expansions and possible command injection in the check_pip script. Our conversation began with concerns about special characters (like backticks, dollar signs, etc.) potentially allowing shell commands to be executed if they appear in maliciously crafted package names in requirements files. While the current risk is low, extra safety can be achieved by removing these characters (e.g., via tr -d) and wrapping variables in quotes for commands like grep.

Relevant Links

• Pull Request: [STYLE] Refactoring for modern python code-style (e.g. 3.9+) #285
• Comment: [STYLE] Refactoring for modern python code-style (e.g. 3.9+) #285 (comment)
• Requested by: @reactive-firewall

Key Insights

• Removing or escaping shell-expansion symbols (including backticks, $ signs, etc.) can mitigate injection.
• Quoting variables in commands (e.g., grep -F -- "${pkg}") provides further protection.
• The changes revolve mostly around line 288 in the check_pip script (and similar lines containing grep with unquoted patterns).

Tasks to Mitigate This Risk

1. Add the suggested tr -d entries to also remove backticks and $.
2. Verify quoting for grep patterns, ensuring variables are enclosed in double quotes.
3. Confirm no other expansions or edge cases in the script remain.
4. Evaluate whether additional special characters should be removed.
5. Implement & document the changes.

Please coordinate final adjustments in a dedicated follow-up pull request after addressing these tasks.