Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Command injection is possible via activation script #2768

Closed
y5c4l3 opened this issue Sep 23, 2024 · 0 comments
Closed

Command injection is possible via activation script #2768

y5c4l3 opened this issue Sep 23, 2024 · 0 comments
Labels
bug

Comments

@y5c4l3
Copy link
Contributor

y5c4l3 commented Sep 23, 2024
edited
Loading

Issue

This issue was originally reported to Tidelift, with disclosure negotiated with the maintainer.

The activation script in virtualenv is command injectable via a crafted path:

envname="';uname -a;':"
mkdir "$envname"
cd "$envname"
virtualenv .
. ./bin/activate
Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39

The execution path is low-risk since users clearly know what they are doing. However, it makes downstream attack vectors possible. More details on possible exploits of a famous downstream were disclosed to the maintainers of that project and virtualenv.

Environment

  • OS: Linux
@y5c4l3 y5c4l3 added the bug label Sep 23, 2024
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
@y5c4l3
Quote template strings in activation script
619c592 
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
@y5c4l3
Quote template strings in activation script
c8171d1 
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
@y5c4l3
Quote template strings in activation script
fed2947 
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
@y5c4l3 y5c4l3 mentioned this issue Sep 27, 2024
Merged
5 tasks
y5c4l3 added a commit to y5c4l3/virtualenv that referenced this issue Sep 27, 2024
@y5c4l3
Quote template strings in activation script
63cb3a8 
This patch adds `quote` method in `ViaTemplateActivator` so that the
magic template strings can be quoted correctly when replacing. This
mitigates potential command injection (pypa#2768).

Signed-off-by: y5c4l3 <y5c4l3@proton.me>
@y5c4l3 y5c4l3 mentioned this issue Sep 27, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@y5c4l3