conan-io#147 Check pip command before to run

- To avoid command injection, the custom pip command will be checked Signed-off-by: Uilian Ries <uilianries@gmail.com>
uilianries · Mar 14, 2019 · 8ca88c7 · 8ca88c7
1 parent c85ded5
commit 8ca88c7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/cpt/packager.py b/cpt/packager.py
@@ -219,6 +219,8 @@ def __init__(self, username=None, channel=None, runner=None,
         elif platform.system() != "Windows" and self._docker_image and 'conanio/' not in str(self._docker_image):
             self.sudo_pip_command = "sudo -E"
         self.pip_command = os.getenv("CONAN_PIP_COMMAND", "pip")
+        if not tools.which(self.pip_command) or not "pip" in self.pip_command:
+            raise Exception("CONAN_PIP_COMMAND: '{}' is not a valid pip command.".format(self.pip_command))
 
         self.docker_shell = ""
 

diff --git a/cpt/test/unit/packager_test.py b/cpt/test/unit/packager_test.py
@@ -845,7 +845,7 @@ def test_custom_pip_command(self):
         with tools.environment_append({"CONAN_USERNAME": "foobar",
                                        "CONAN_PIP_PACKAGE": "conan==0.1.0",
                                        "CONAN_PIP_INSTALL": "foobar==0.1.0",
-                                       "CONAN_PIP_COMMAND": "/usr/bin/pip3"}):
+                                       "CONAN_PIP_COMMAND": "pip3"}):
             output = TestBufferConanOutput()
             self.packager = ConanMultiPackager(username="lasote",
                                                channel="mychannel",
@@ -857,5 +857,26 @@ def test_custom_pip_command(self):
             self.packager.add_common_builds()
             self.packager.run()
             self.assertIn("[pip_update]", output)
-            self.assertIn(" /usr/bin/pip3 install conan==0.1.0", self.runner.calls)
-            self.assertIn(" /usr/bin/pip3 install foobar==0.1.0", self.runner.calls)
+            self.assertIn(" pip3 install conan==0.1.0", self.runner.calls)
+            self.assertIn(" pip3 install foobar==0.1.0", self.runner.calls)
+
+    def test_invalid_pip_command(self):
+        """ CPT should not accept invalid `pip` command when CONAN_PIP_COMMAND is declared.
+        """
+        with tools.environment_append({"CONAN_USERNAME": "foobar",
+                                       "CONAN_PIP_PACKAGE": "conan==0.1.0",
+                                       "CONAN_PIP_COMMAND": "/bin/bash"}):
+            output = TestBufferConanOutput()
+            with self.assertRaises(Exception) as context:
+                self.packager = ConanMultiPackager(username="lasote",
+                                                channel="mychannel",
+                                                reference="lib/1.0",
+                                                ci_manager=self.ci_manager,
+                                                out=output.write,
+                                                conan_api=self.conan_api,
+                                                runner=self.runner)
+                self.packager.add_common_builds()
+                self.packager.run()
+
+                self.assertTrue("CONAN_PIP_COMMAND: '/bin/bash' is not a valid pip command" in context.exception)
+            self.assertNotIn("[pip_update]", output)