Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command injection is possible via activation script #2768

Closed
y5c4l3 opened this issue Sep 23, 2024 · 0 comments
Closed

Command injection is possible via activation script #2768

y5c4l3 opened this issue Sep 23, 2024 · 0 comments
Labels

Comments

@y5c4l3
Copy link
Contributor

y5c4l3 commented Sep 23, 2024

Issue

This issue was originally reported to Tidelift, with disclosure negotiated with the maintainer.

The activation script in virtualenv is command injectable via a crafted path:

envname="';uname -a;':"
mkdir "$envname"
cd "$envname"
virtualenv .
. ./bin/activate
Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39

The execution path is low-risk since users clearly know what they are doing. However, it makes downstream attack vectors possible. More details on possible exploits of a famous downstream were disclosed to the maintainers of that project and virtualenv.

Environment

  • OS: Linux
@y5c4l3 y5c4l3 added the bug label Sep 23, 2024
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant