##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r27059:8134c2eb
r28089:991849c2
Show More
test_magic_arguments.py
140 lines | 4.7 KiB | text/x-python | PythonLexer
/ IPython / core / tests / test_magic_arguments.py
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 #-----------------------------------------------------------------------------
Matthias BUSSONNIER
update copyright to 2011/20xx-2011...
r5390 # Copyright (C) 2010-2011, IPython Development Team.
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 #
# Distributed under the terms of the Modified BSD License.
#
# The full license is in the file COPYING.txt, distributed with this software.
#-----------------------------------------------------------------------------
Thomas Kluyver
Import argparse directly from stdlib
r12547 import argparse
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 import sys
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229
from IPython.core.magic_arguments import (argument, argument_group, kwds,
magic_arguments, parse_argstring, real_name)
@magic_arguments()
@argument('-f', '--foo', help="an argument")
def magic_foo1(self, args):
""" A docstring.
"""
return parse_argstring(magic_foo1, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 @magic_arguments()
def magic_foo2(self, args):
""" A docstring.
"""
return parse_argstring(magic_foo2, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 @magic_arguments()
@argument('-f', '--foo', help="an argument")
@argument_group('Group')
@argument('-b', '--bar', help="a grouped argument")
@argument_group('Second Group')
@argument('-z', '--baz', help="another grouped argument")
def magic_foo3(self, args):
""" A docstring.
"""
return parse_argstring(magic_foo3, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 @magic_arguments()
@kwds(argument_default=argparse.SUPPRESS)
@argument('-f', '--foo', help="an argument")
def magic_foo4(self, args):
""" A docstring.
"""
return parse_argstring(magic_foo4, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 @magic_arguments('frobnicate')
@argument('-f', '--foo', help="an argument")
def magic_foo5(self, args):
""" A docstring.
"""
return parse_argstring(magic_foo5, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 @magic_arguments()
@argument('-f', '--foo', help="an argument")
def magic_magic_foo(self, args):
""" A docstring.
"""
return parse_argstring(magic_magic_foo, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 @magic_arguments()
@argument('-f', '--foo', help="an argument")
def foo(self, args):
""" A docstring.
"""
return parse_argstring(foo, args)
Fernando Perez
Convert from nose-style to ours a parametric test....
r3432
Robert Kern
ENH: Add the argparse-based option parsing for magics.
r3229 def test_magic_arguments():
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 # “optional arguments” was replaced with “options” in argparse help
# https://docs.python.org/3/whatsnew/3.10.html#argparse
# https://bugs.python.org/issue9694
options = "optional arguments" if sys.version_info < (3, 10) else "options"
Blazej Michalik
Darker
r26750 assert (
magic_foo1.__doc__
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 == f"::\n\n %foo1 [-f FOO]\n\n A docstring.\n\n{options}:\n -f FOO, --foo FOO an argument\n"
Blazej Michalik
Darker
r26750 )
assert getattr(magic_foo1, "argcmd_name", None) == None
assert real_name(magic_foo1) == "foo1"
assert magic_foo1(None, "") == argparse.Namespace(foo=None)
assert hasattr(magic_foo1, "has_arguments")
assert magic_foo2.__doc__ == "::\n\n %foo2\n\n A docstring.\n"
assert getattr(magic_foo2, "argcmd_name", None) == None
assert real_name(magic_foo2) == "foo2"
assert magic_foo2(None, "") == argparse.Namespace()
assert hasattr(magic_foo2, "has_arguments")
assert (
magic_foo3.__doc__
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 == f"::\n\n %foo3 [-f FOO] [-b BAR] [-z BAZ]\n\n A docstring.\n\n{options}:\n -f FOO, --foo FOO an argument\n\nGroup:\n -b BAR, --bar BAR a grouped argument\n\nSecond Group:\n -z BAZ, --baz BAZ another grouped argument\n"
Blazej Michalik
Darker
r26750 )
assert getattr(magic_foo3, "argcmd_name", None) == None
assert real_name(magic_foo3) == "foo3"
assert magic_foo3(None, "") == argparse.Namespace(bar=None, baz=None, foo=None)
assert hasattr(magic_foo3, "has_arguments")
assert (
magic_foo4.__doc__
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 == f"::\n\n %foo4 [-f FOO]\n\n A docstring.\n\n{options}:\n -f FOO, --foo FOO an argument\n"
Blazej Michalik
Darker
r26750 )
assert getattr(magic_foo4, "argcmd_name", None) == None
assert real_name(magic_foo4) == "foo4"
assert magic_foo4(None, "") == argparse.Namespace()
assert hasattr(magic_foo4, "has_arguments")
assert (
magic_foo5.__doc__
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 == f"::\n\n %frobnicate [-f FOO]\n\n A docstring.\n\n{options}:\n -f FOO, --foo FOO an argument\n"
Blazej Michalik
Darker
r26750 )
assert getattr(magic_foo5, "argcmd_name", None) == "frobnicate"
assert real_name(magic_foo5) == "frobnicate"
assert magic_foo5(None, "") == argparse.Namespace(foo=None)
assert hasattr(magic_foo5, "has_arguments")
assert (
magic_magic_foo.__doc__
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 == f"::\n\n %magic_foo [-f FOO]\n\n A docstring.\n\n{options}:\n -f FOO, --foo FOO an argument\n"
Blazej Michalik
Darker
r26750 )
assert getattr(magic_magic_foo, "argcmd_name", None) == None
assert real_name(magic_magic_foo) == "magic_foo"
assert magic_magic_foo(None, "") == argparse.Namespace(foo=None)
assert hasattr(magic_magic_foo, "has_arguments")
assert (
foo.__doc__
Nikita Kniazev
Workaround argparse changed text in Python 3.10...
r27059 == f"::\n\n %foo [-f FOO]\n\n A docstring.\n\n{options}:\n -f FOO, --foo FOO an argument\n"
Blazej Michalik
Darker
r26750 )
assert getattr(foo, "argcmd_name", None) == None
assert real_name(foo) == "foo"
assert foo(None, "") == argparse.Namespace(foo=None)
assert hasattr(foo, "has_arguments")