upstream/ipython Files · IPython/lib/tests/test_pygments.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Nicholas Bollweg - - Load All Authors

File last commit:

r27909:017b677e


                r28089:991849c2

Download file

             test_pygments.py
        
                    26 lines
            
             | 824 B
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / lib / tests / test_pygments.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      from typing import List

      import pytest

      import pygments.lexers

      import pygments.lexer

      from IPython.lib.lexers import IPythonConsoleLexer, IPythonLexer, IPython3Lexer

      #: the human-readable names of the IPython lexers with ``entry_points``

      EXPECTED_LEXER_NAMES = [

          cls.name for cls in [IPythonConsoleLexer, IPythonLexer, IPython3Lexer]

      ]

      @pytest.fixture

      def all_pygments_lexer_names() -> List[str]:

          """Get all lexer names registered in pygments."""

          return {l[0] for l in pygments.lexers.get_all_lexers()}

      @pytest.mark.parametrize("expected_lexer", EXPECTED_LEXER_NAMES)

      def test_pygments_entry_points(

          expected_lexer: str, all_pygments_lexer_names: List[str]

      ) -> None:

          """Check whether the ``entry_points`` for ``pygments.lexers`` are correct."""

          assert expected_lexer in all_pygments_lexer_names

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				from typing import List

				import pytest
				import pygments.lexers
				import pygments.lexer

				from IPython.lib.lexers import IPythonConsoleLexer, IPythonLexer, IPython3Lexer

				#: the human-readable names of the IPython lexers with ``entry_points``
				EXPECTED_LEXER_NAMES = [
				cls.name for cls in [IPythonConsoleLexer, IPythonLexer, IPython3Lexer]
				]


				@pytest.fixture
				def all_pygments_lexer_names() -> List[str]:
				"""Get all lexer names registered in pygments."""
				return {l[0] for l in pygments.lexers.get_all_lexers()}


				@pytest.mark.parametrize("expected_lexer", EXPECTED_LEXER_NAMES)
				def test_pygments_entry_points(
				expected_lexer: str, all_pygments_lexer_names: List[str]
				) -> None:
				"""Check whether the ``entry_points`` for ``pygments.lexers`` are correct."""
				assert expected_lexer in all_pygments_lexer_names