Show More
| @@ -20,7 +20,7 b' jobs:' | |||||
| 20 |
|
20 | |||
| 21 | steps: |
|
21 | steps: | |
| 22 | - uses: actions/checkout@v2 |
|
22 | - uses: actions/checkout@v2 | |
| 23 |
with: |
|
23 | with: | |
| 24 | fetch-depth: 0 |
|
24 | fetch-depth: 0 | |
| 25 | - name: Set up Python ${{ matrix.python-version }} |
|
25 | - name: Set up Python ${{ matrix.python-version }} | |
| 26 | uses: actions/setup-python@v2 |
|
26 | uses: actions/setup-python@v2 | |
| @@ -29,7 +29,7 b' jobs:' | |||||
| 29 | - name: Install dependencies |
|
29 | - name: Install dependencies | |
| 30 | run: | |
|
30 | run: | | |
| 31 | python -m pip install --upgrade pip |
|
31 | python -m pip install --upgrade pip | |
| 32 | pip install darker |
|
32 | pip install darker black==21.12b0 | |
| 33 | - name: Lint with darker |
|
33 | - name: Lint with darker | |
| 34 | run: | |
|
34 | run: | | |
| 35 | darker -r 60625f241f298b5039cb2debc365db38aa7bb522 --check --diff . || ( |
|
35 | darker -r 60625f241f298b5039cb2debc365db38aa7bb522 --check --diff . || ( | |
| @@ -11,46 +11,55 b' import string' | |||||
| 11 | import subprocess |
|
11 | import subprocess | |
| 12 | import time |
|
12 | import time | |
| 13 |
|
13 | |||
|
|
14 | ||||
| 14 | def test_cve_2022_21699(): |
|
15 | def test_cve_2022_21699(): | |
| 15 | """ |
|
16 | """ | |
| 16 | Here we test CVE-2022-21699. |
|
17 | Here we test CVE-2022-21699. | |
| 17 |
|
18 | |||
| 18 |
We create a temporary directory, cd into it. |
|
19 | We create a temporary directory, cd into it. | |
| 19 |
Make a profile file that should not be executed and start IPython in a subprocess, |
|
20 | Make a profile file that should not be executed and start IPython in a subprocess, | |
| 20 | checking for the value. |
|
21 | checking for the value. | |
| 21 |
|
22 | |||
| 22 |
|
23 | |||
| 23 |
|
24 | |||
| 24 | """ |
|
25 | """ | |
| 25 |
|
26 | |||
| 26 |
dangerous_profile_dir = Path( |
|
27 | dangerous_profile_dir = Path("profile_default") | |
| 27 |
|
28 | |||
| 28 |
dangerous_startup_dir = dangerous_profile_dir / |
|
29 | dangerous_startup_dir = dangerous_profile_dir / "startup" | |
| 29 | dangerous_expected = 'CVE-2022-21699-'+''.join([random.choice(string.ascii_letters) for i in range(10)]) |
|
30 | dangerous_expected = "CVE-2022-21699-" + "".join( | |
|
|
31 | [random.choice(string.ascii_letters) for i in range(10)] | |||
|
|
32 | ) | |||
| 30 |
|
33 | |||
| 31 | with TemporaryWorkingDirectory() as t: |
|
34 | with TemporaryWorkingDirectory() as t: | |
| 32 | dangerous_startup_dir.mkdir(parents=True) |
|
35 | dangerous_startup_dir.mkdir(parents=True) | |
| 33 |
(dangerous_startup_dir/ |
|
36 | (dangerous_startup_dir / "foo.py").write_text(f'print("{dangerous_expected}")') | |
| 34 | # 1 sec to make sure FS is flushed. |
|
37 | # 1 sec to make sure FS is flushed. | |
| 35 | #time.sleep(1) |
|
38 | # time.sleep(1) | |
| 36 |
cmd = [sys.executable, |
|
39 | cmd = [sys.executable, "-m", "IPython"] | |
| 37 | env = os.environ.copy() |
|
40 | env = os.environ.copy() | |
| 38 |
env[ |
|
41 | env["IPY_TEST_SIMPLE_PROMPT"] = "1" | |
| 39 |
|
||||
| 40 |
|
42 | |||
| 41 | # First we fake old behavior, making sure the profile is/was actually dangerous |
|
43 | # First we fake old behavior, making sure the profile is/was actually dangerous | |
| 42 | p_dangerous = subprocess.Popen(cmd + [f'--profile-dir={dangerous_profile_dir}'], env=env, stdin=subprocess.PIPE, |
|
44 | p_dangerous = subprocess.Popen( | |
| 43 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|
45 | cmd + [f"--profile-dir={dangerous_profile_dir}"], | |
|
|
46 | env=env, | |||
|
|
47 | stdin=subprocess.PIPE, | |||
|
|
48 | stdout=subprocess.PIPE, | |||
|
|
49 | stderr=subprocess.PIPE, | |||
|
|
50 | ) | |||
| 44 | out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r") |
|
51 | out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r") | |
| 45 | assert dangerous_expected in out_dangerous.decode() |
|
52 | assert dangerous_expected in out_dangerous.decode() | |
| 46 |
|
53 | |||
| 47 | # Now that we know it _would_ have been dangerous, we test it's not loaded |
|
54 | # Now that we know it _would_ have been dangerous, we test it's not loaded | |
| 48 |
p = subprocess.Popen( |
|
55 | p = subprocess.Popen( | |
| 49 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|
56 | cmd, | |
|
|
57 | env=env, | |||
|
|
58 | stdin=subprocess.PIPE, | |||
|
|
59 | stdout=subprocess.PIPE, | |||
|
|
60 | stderr=subprocess.PIPE, | |||
|
|
61 | ) | |||
| 50 | out, err = p.communicate(b"exit\r") |
|
62 | out, err = p.communicate(b"exit\r") | |
| 51 |
assert b |
|
63 | assert b"IPython" in out | |
| 52 | assert dangerous_expected not in out.decode() |
|
64 | assert dangerous_expected not in out.decode() | |
| 53 |
assert err == b |
|
65 | assert err == b"" | |
| 54 |
|
||||
| 55 |
|
||||
| 56 |
|
||||
General Comments 0
You need to be logged in to leave comments.
Login now