Show More
@@ -1,40 +1,40 b'' | |||
|
1 | 1 | # This workflow will install Python dependencies, run tests and lint with a variety of Python versions |
|
2 | 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions |
|
3 | 3 | |
|
4 | 4 | name: Python package |
|
5 | 5 | |
|
6 | 6 | on: |
|
7 | 7 | push: |
|
8 | 8 | branches: [ master, 7.x ] |
|
9 | 9 | pull_request: |
|
10 | 10 | branches: [ master, 7.x ] |
|
11 | 11 | |
|
12 | 12 | jobs: |
|
13 | 13 | formatting: |
|
14 | 14 | |
|
15 | 15 | runs-on: ubuntu-latest |
|
16 | 16 | timeout-minutes: 5 |
|
17 | 17 | strategy: |
|
18 | 18 | matrix: |
|
19 | 19 | python-version: [3.8] |
|
20 | 20 | |
|
21 | 21 | steps: |
|
22 | 22 | - uses: actions/checkout@v2 |
|
23 | 23 |
with: |
|
24 | 24 | fetch-depth: 0 |
|
25 | 25 | - name: Set up Python ${{ matrix.python-version }} |
|
26 | 26 | uses: actions/setup-python@v2 |
|
27 | 27 | with: |
|
28 | 28 | python-version: ${{ matrix.python-version }} |
|
29 | 29 | - name: Install dependencies |
|
30 | 30 | run: | |
|
31 | 31 | python -m pip install --upgrade pip |
|
32 | pip install darker | |
|
32 | pip install darker black==21.12b0 | |
|
33 | 33 | - name: Lint with darker |
|
34 | 34 | run: | |
|
35 | 35 | darker -r 60625f241f298b5039cb2debc365db38aa7bb522 --check --diff . || ( |
|
36 | 36 | echo "Changes need auto-formatting. Run:" |
|
37 | 37 | echo " darker -r 60625f241f298b5039cb2debc365db38aa7bb522" |
|
38 | 38 | echo "then commit and push changes to fix." |
|
39 | 39 | exit 1 |
|
40 | 40 | ) |
@@ -1,56 +1,65 b'' | |||
|
1 | 1 | """ |
|
2 | 2 | Test that CVEs stay fixed. |
|
3 | 3 | """ |
|
4 | 4 | |
|
5 | 5 | from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory |
|
6 | 6 | from pathlib import Path |
|
7 | 7 | import random |
|
8 | 8 | import sys |
|
9 | 9 | import os |
|
10 | 10 | import string |
|
11 | 11 | import subprocess |
|
12 | 12 | import time |
|
13 | 13 | |
|
14 | ||
|
14 | 15 | def test_cve_2022_21699(): |
|
15 | 16 | """ |
|
16 | 17 | Here we test CVE-2022-21699. |
|
17 | 18 | |
|
18 | 19 |
We create a temporary directory, cd into it. |
|
19 | 20 |
Make a profile file that should not be executed and start IPython in a subprocess, |
|
20 | 21 | checking for the value. |
|
21 | 22 | |
|
22 | 23 | |
|
23 | 24 | |
|
24 | 25 | """ |
|
25 | 26 | |
|
26 |
dangerous_profile_dir = Path( |
|
|
27 | dangerous_profile_dir = Path("profile_default") | |
|
27 | 28 | |
|
28 |
dangerous_startup_dir = dangerous_profile_dir / |
|
|
29 | dangerous_expected = 'CVE-2022-21699-'+''.join([random.choice(string.ascii_letters) for i in range(10)]) | |
|
29 | dangerous_startup_dir = dangerous_profile_dir / "startup" | |
|
30 | dangerous_expected = "CVE-2022-21699-" + "".join( | |
|
31 | [random.choice(string.ascii_letters) for i in range(10)] | |
|
32 | ) | |
|
30 | 33 | |
|
31 | 34 | with TemporaryWorkingDirectory() as t: |
|
32 | 35 | dangerous_startup_dir.mkdir(parents=True) |
|
33 |
(dangerous_startup_dir/ |
|
|
36 | (dangerous_startup_dir / "foo.py").write_text(f'print("{dangerous_expected}")') | |
|
34 | 37 | # 1 sec to make sure FS is flushed. |
|
35 | 38 | #time.sleep(1) |
|
36 |
cmd = [sys.executable, |
|
|
39 | cmd = [sys.executable, "-m", "IPython"] | |
|
37 | 40 | env = os.environ.copy() |
|
38 |
env[ |
|
|
39 | ||
|
41 | env["IPY_TEST_SIMPLE_PROMPT"] = "1" | |
|
40 | 42 | |
|
41 | 43 | # First we fake old behavior, making sure the profile is/was actually dangerous |
|
42 | p_dangerous = subprocess.Popen(cmd + [f'--profile-dir={dangerous_profile_dir}'], env=env, stdin=subprocess.PIPE, | |
|
43 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
|
44 | p_dangerous = subprocess.Popen( | |
|
45 | cmd + [f"--profile-dir={dangerous_profile_dir}"], | |
|
46 | env=env, | |
|
47 | stdin=subprocess.PIPE, | |
|
48 | stdout=subprocess.PIPE, | |
|
49 | stderr=subprocess.PIPE, | |
|
50 | ) | |
|
44 | 51 | out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r") |
|
45 | 52 | assert dangerous_expected in out_dangerous.decode() |
|
46 | 53 | |
|
47 | 54 | # Now that we know it _would_ have been dangerous, we test it's not loaded |
|
48 |
p = subprocess.Popen( |
|
|
49 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
|
55 | p = subprocess.Popen( | |
|
56 | cmd, | |
|
57 | env=env, | |
|
58 | stdin=subprocess.PIPE, | |
|
59 | stdout=subprocess.PIPE, | |
|
60 | stderr=subprocess.PIPE, | |
|
61 | ) | |
|
50 | 62 | out, err = p.communicate(b"exit\r") |
|
51 |
assert b |
|
|
63 | assert b"IPython" in out | |
|
52 | 64 | assert dangerous_expected not in out.decode() |
|
53 |
assert err == b |
|
|
54 | ||
|
55 | ||
|
56 | ||
|
65 | assert err == b"" |
General Comments 0
You need to be logged in to leave comments.
Login now