upstream/ipython Files · IPython/tests/cve.py

Statically type OInfo. (#13973)...

Statically type OInfo. (#13973) In view of working with , some cleanup inspect to be properly typed, and using stricter datastructure. Instead of dict we now use dataclasses, this will make sure that fields type and access can be stricter and verified not only at runtime, but by mypy

Matthias Bussonnier - - Load All Authors

File last commit:

r27764:aefe51c6


                r28166:29b451fc

Download file

             cve.py
        
                    66 lines
            
             | 2.0 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / tests / cve.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
      """

      Test that CVEs stay fixed. 

      """

      from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory

      from pathlib import Path

      import random

      import sys

      import os

      import string

      import subprocess

        martinRenou
    
Pin black in CI...

              r27480
            
        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
      def test_cve_2022_21699():

          """

          Here we test CVE-2022-21699.

        martinRenou
    
Pin black in CI...

              r27480
            
          We create a temporary directory, cd into it.

          Make a profile file that should not be executed and start IPython in a subprocess,

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
          checking for the value.

          """

        martinRenou
    
Pin black in CI...

              r27480
            
          dangerous_profile_dir = Path("profile_default")

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
        martinRenou
    
Pin black in CI...

              r27480
            
          dangerous_startup_dir = dangerous_profile_dir / "startup"

          dangerous_expected = "CVE-2022-21699-" + "".join(

              [random.choice(string.ascii_letters) for i in range(10)]

          )

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
          with TemporaryWorkingDirectory() as t:

              dangerous_startup_dir.mkdir(parents=True)

        gousaiyang
    
Format code

              r27495
            
              (dangerous_startup_dir / "foo.py").write_text(

                  f'print("{dangerous_expected}")', encoding="utf-8"

              )

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
              # 1 sec to make sure FS is flushed.

        martinRenou
    
Pin black in CI...

              r27480
            
              # time.sleep(1)

              cmd = [sys.executable, "-m", "IPython"]

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
              env = os.environ.copy()

        martinRenou
    
Pin black in CI...

              r27480
            
              env["IPY_TEST_SIMPLE_PROMPT"] = "1"

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
              # First we fake old behavior, making sure the profile is/was actually dangerous

        martinRenou
    
Pin black in CI...

              r27480
            
              p_dangerous = subprocess.Popen(

                  cmd + [f"--profile-dir={dangerous_profile_dir}"],

                  env=env,

                  stdin=subprocess.PIPE,

                  stdout=subprocess.PIPE,

                  stderr=subprocess.PIPE,

              )

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
              out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r")

              assert dangerous_expected in out_dangerous.decode()

              # Now that we know it _would_ have been dangerous, we test it's not loaded

        martinRenou
    
Pin black in CI...

              r27480
            
              p = subprocess.Popen(

                  cmd,

                  env=env,

                  stdin=subprocess.PIPE,

                  stdout=subprocess.PIPE,

                  stderr=subprocess.PIPE,

              )

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
              out, err = p.communicate(b"exit\r")

        martinRenou
    
Pin black in CI...

              r27480
            
              assert b"IPython" in out

        Matthias Bussonnier
    
Add test for CVE-2022-21699

              r27465
            
              assert dangerous_expected not in out.decode()

        martinRenou
    
Pin black in CI...

              r27480
            
              assert err == b""

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Matthias Bussonnier Add test for CVE-2022-21699	r27465	"""
		Test that CVEs stay fixed.
		"""

		from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory
		from pathlib import Path
		import random
		import sys
		import os
		import string
		import subprocess

martinRenou Pin black in CI...	r27480
Matthias Bussonnier Add test for CVE-2022-21699	r27465	def test_cve_2022_21699():
		"""
		Here we test CVE-2022-21699.

martinRenou Pin black in CI...	r27480	We create a temporary directory, cd into it.
		Make a profile file that should not be executed and start IPython in a subprocess,
Matthias Bussonnier Add test for CVE-2022-21699	r27465	checking for the value.



		"""

martinRenou Pin black in CI...	r27480	dangerous_profile_dir = Path("profile_default")
Matthias Bussonnier Add test for CVE-2022-21699	r27465
martinRenou Pin black in CI...	r27480	dangerous_startup_dir = dangerous_profile_dir / "startup"
		dangerous_expected = "CVE-2022-21699-" + "".join(
		[random.choice(string.ascii_letters) for i in range(10)]
		)
Matthias Bussonnier Add test for CVE-2022-21699	r27465
		with TemporaryWorkingDirectory() as t:
		dangerous_startup_dir.mkdir(parents=True)
gousaiyang Format code	r27495	(dangerous_startup_dir / "foo.py").write_text(
		f'print("{dangerous_expected}")', encoding="utf-8"
		)
Matthias Bussonnier Add test for CVE-2022-21699	r27465	# 1 sec to make sure FS is flushed.
martinRenou Pin black in CI...	r27480	# time.sleep(1)
		cmd = [sys.executable, "-m", "IPython"]
Matthias Bussonnier Add test for CVE-2022-21699	r27465	env = os.environ.copy()
martinRenou Pin black in CI...	r27480	env["IPY_TEST_SIMPLE_PROMPT"] = "1"
Matthias Bussonnier Add test for CVE-2022-21699	r27465
		# First we fake old behavior, making sure the profile is/was actually dangerous
martinRenou Pin black in CI...	r27480	p_dangerous = subprocess.Popen(
		cmd + [f"--profile-dir={dangerous_profile_dir}"],
		env=env,
		stdin=subprocess.PIPE,
		stdout=subprocess.PIPE,
		stderr=subprocess.PIPE,
		)
Matthias Bussonnier Add test for CVE-2022-21699	r27465	out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r")
		assert dangerous_expected in out_dangerous.decode()

		# Now that we know it _would_ have been dangerous, we test it's not loaded
martinRenou Pin black in CI...	r27480	p = subprocess.Popen(
		cmd,
		env=env,
		stdin=subprocess.PIPE,
		stdout=subprocess.PIPE,
		stderr=subprocess.PIPE,
		)
Matthias Bussonnier Add test for CVE-2022-21699	r27465	out, err = p.communicate(b"exit\r")
martinRenou Pin black in CI...	r27480	assert b"IPython" in out
Matthias Bussonnier Add test for CVE-2022-21699	r27465	assert dangerous_expected not in out.decode()
martinRenou Pin black in CI...	r27480	assert err == b""