Show More
@@ -1,40 +1,40 b'' | |||||
1 | # This workflow will install Python dependencies, run tests and lint with a variety of Python versions |
|
1 | # This workflow will install Python dependencies, run tests and lint with a variety of Python versions | |
2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions |
|
2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions | |
3 |
|
3 | |||
4 | name: Python package |
|
4 | name: Python package | |
5 |
|
5 | |||
6 | on: |
|
6 | on: | |
7 | push: |
|
7 | push: | |
8 | branches: [ master, 7.x ] |
|
8 | branches: [ master, 7.x ] | |
9 | pull_request: |
|
9 | pull_request: | |
10 | branches: [ master, 7.x ] |
|
10 | branches: [ master, 7.x ] | |
11 |
|
11 | |||
12 | jobs: |
|
12 | jobs: | |
13 | formatting: |
|
13 | formatting: | |
14 |
|
14 | |||
15 | runs-on: ubuntu-latest |
|
15 | runs-on: ubuntu-latest | |
16 | timeout-minutes: 5 |
|
16 | timeout-minutes: 5 | |
17 | strategy: |
|
17 | strategy: | |
18 | matrix: |
|
18 | matrix: | |
19 | python-version: [3.8] |
|
19 | python-version: [3.8] | |
20 |
|
20 | |||
21 | steps: |
|
21 | steps: | |
22 | - uses: actions/checkout@v2 |
|
22 | - uses: actions/checkout@v2 | |
23 |
with: |
|
23 | with: | |
24 | fetch-depth: 0 |
|
24 | fetch-depth: 0 | |
25 | - name: Set up Python ${{ matrix.python-version }} |
|
25 | - name: Set up Python ${{ matrix.python-version }} | |
26 | uses: actions/setup-python@v2 |
|
26 | uses: actions/setup-python@v2 | |
27 | with: |
|
27 | with: | |
28 | python-version: ${{ matrix.python-version }} |
|
28 | python-version: ${{ matrix.python-version }} | |
29 | - name: Install dependencies |
|
29 | - name: Install dependencies | |
30 | run: | |
|
30 | run: | | |
31 | python -m pip install --upgrade pip |
|
31 | python -m pip install --upgrade pip | |
32 | pip install darker |
|
32 | pip install darker black==21.12b0 | |
33 | - name: Lint with darker |
|
33 | - name: Lint with darker | |
34 | run: | |
|
34 | run: | | |
35 | darker -r 60625f241f298b5039cb2debc365db38aa7bb522 --check --diff . || ( |
|
35 | darker -r 60625f241f298b5039cb2debc365db38aa7bb522 --check --diff . || ( | |
36 | echo "Changes need auto-formatting. Run:" |
|
36 | echo "Changes need auto-formatting. Run:" | |
37 | echo " darker -r 60625f241f298b5039cb2debc365db38aa7bb522" |
|
37 | echo " darker -r 60625f241f298b5039cb2debc365db38aa7bb522" | |
38 | echo "then commit and push changes to fix." |
|
38 | echo "then commit and push changes to fix." | |
39 | exit 1 |
|
39 | exit 1 | |
40 | ) |
|
40 | ) |
@@ -1,56 +1,65 b'' | |||||
1 | """ |
|
1 | """ | |
2 | Test that CVEs stay fixed. |
|
2 | Test that CVEs stay fixed. | |
3 | """ |
|
3 | """ | |
4 |
|
4 | |||
5 | from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory |
|
5 | from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory | |
6 | from pathlib import Path |
|
6 | from pathlib import Path | |
7 | import random |
|
7 | import random | |
8 | import sys |
|
8 | import sys | |
9 | import os |
|
9 | import os | |
10 | import string |
|
10 | import string | |
11 | import subprocess |
|
11 | import subprocess | |
12 | import time |
|
12 | import time | |
13 |
|
13 | |||
|
14 | ||||
14 | def test_cve_2022_21699(): |
|
15 | def test_cve_2022_21699(): | |
15 | """ |
|
16 | """ | |
16 | Here we test CVE-2022-21699. |
|
17 | Here we test CVE-2022-21699. | |
17 |
|
18 | |||
18 |
We create a temporary directory, cd into it. |
|
19 | We create a temporary directory, cd into it. | |
19 |
Make a profile file that should not be executed and start IPython in a subprocess, |
|
20 | Make a profile file that should not be executed and start IPython in a subprocess, | |
20 | checking for the value. |
|
21 | checking for the value. | |
21 |
|
22 | |||
22 |
|
23 | |||
23 |
|
24 | |||
24 | """ |
|
25 | """ | |
25 |
|
26 | |||
26 |
dangerous_profile_dir = Path( |
|
27 | dangerous_profile_dir = Path("profile_default") | |
27 |
|
28 | |||
28 |
dangerous_startup_dir = dangerous_profile_dir / |
|
29 | dangerous_startup_dir = dangerous_profile_dir / "startup" | |
29 | dangerous_expected = 'CVE-2022-21699-'+''.join([random.choice(string.ascii_letters) for i in range(10)]) |
|
30 | dangerous_expected = "CVE-2022-21699-" + "".join( | |
|
31 | [random.choice(string.ascii_letters) for i in range(10)] | |||
|
32 | ) | |||
30 |
|
33 | |||
31 | with TemporaryWorkingDirectory() as t: |
|
34 | with TemporaryWorkingDirectory() as t: | |
32 | dangerous_startup_dir.mkdir(parents=True) |
|
35 | dangerous_startup_dir.mkdir(parents=True) | |
33 |
(dangerous_startup_dir/ |
|
36 | (dangerous_startup_dir / "foo.py").write_text(f'print("{dangerous_expected}")') | |
34 | # 1 sec to make sure FS is flushed. |
|
37 | # 1 sec to make sure FS is flushed. | |
35 | #time.sleep(1) |
|
38 | # time.sleep(1) | |
36 |
cmd = [sys.executable, |
|
39 | cmd = [sys.executable, "-m", "IPython"] | |
37 | env = os.environ.copy() |
|
40 | env = os.environ.copy() | |
38 |
env[ |
|
41 | env["IPY_TEST_SIMPLE_PROMPT"] = "1" | |
39 |
|
||||
40 |
|
42 | |||
41 | # First we fake old behavior, making sure the profile is/was actually dangerous |
|
43 | # First we fake old behavior, making sure the profile is/was actually dangerous | |
42 | p_dangerous = subprocess.Popen(cmd + [f'--profile-dir={dangerous_profile_dir}'], env=env, stdin=subprocess.PIPE, |
|
44 | p_dangerous = subprocess.Popen( | |
43 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|
45 | cmd + [f"--profile-dir={dangerous_profile_dir}"], | |
|
46 | env=env, | |||
|
47 | stdin=subprocess.PIPE, | |||
|
48 | stdout=subprocess.PIPE, | |||
|
49 | stderr=subprocess.PIPE, | |||
|
50 | ) | |||
44 | out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r") |
|
51 | out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r") | |
45 | assert dangerous_expected in out_dangerous.decode() |
|
52 | assert dangerous_expected in out_dangerous.decode() | |
46 |
|
53 | |||
47 | # Now that we know it _would_ have been dangerous, we test it's not loaded |
|
54 | # Now that we know it _would_ have been dangerous, we test it's not loaded | |
48 |
p = subprocess.Popen( |
|
55 | p = subprocess.Popen( | |
49 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|
56 | cmd, | |
|
57 | env=env, | |||
|
58 | stdin=subprocess.PIPE, | |||
|
59 | stdout=subprocess.PIPE, | |||
|
60 | stderr=subprocess.PIPE, | |||
|
61 | ) | |||
50 | out, err = p.communicate(b"exit\r") |
|
62 | out, err = p.communicate(b"exit\r") | |
51 |
assert b |
|
63 | assert b"IPython" in out | |
52 | assert dangerous_expected not in out.decode() |
|
64 | assert dangerous_expected not in out.decode() | |
53 |
assert err == b |
|
65 | assert err == b"" | |
54 |
|
||||
55 |
|
||||
56 |
|
General Comments 0
You need to be logged in to leave comments.
Login now