Skip to content

Builds: prevent code injection in cwd #8198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 20, 2021
Merged

Builds: prevent code injection in cwd #8198

merged 3 commits into from
May 20, 2021

Conversation

stsewd
Copy link
Member

@stsewd stsewd commented May 19, 2021

This isn't a vulnerability since this command is executed inside
a container with a unprivileged user.

I have replaced the usage of manual cd with using the workdir
option from docker. This option doesn't support env vars expansion
(which is safer), so I had to introduce a new setting.

There is a PR to update usage of $HOME in .com

stsewd added 2 commits May 19, 2021 14:06
@stsewd
Fix code injection in cwd
299fc13 
This isn't a vulnerability since this command is executed inside
a container with a unprivileged user.

I have replaced the usage of manual `cd` with using the `workdir`
option from docker. This option doesn't support env vars expansion
(which is safer), so I had to introduce a new setting.
@stsewd
Update tests
215dc14
@stsewd stsewd requested a review from a team May 19, 2021 19:33
stsewd
stsewd commented May 19, 2021
View reviewed changes
@stsewd stsewd force-pushed the fix-code-injection-in-cwd branch from b1c6d7b to ec47d3e Compare May 19, 2021 23:38
humitos
humitos approved these changes May 20, 2021
View reviewed changes
Copy link
Member

@humitos humitos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

readthedocs/doc_builder/python_environments.py
@@ -323,7 +323,7 @@ def setup_base(self):
# Don't use virtualenv bin that doesn't exist yet
bin_path=None,
# Don't use the project's root, some config files can interfere
cwd='$HOME',
cwd=None,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when cwd= is None? Wouldn't be better to default to /tmp or similar?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It defaults to RTD_DOCKER_WORKDIR ($HOME replacement), it can be omitted now, but didn't want to lose the comment

@stsewd stsewd merged commit b586cf0 into master May 20, 2021
@stsewd stsewd deleted the fix-code-injection-in-cwd branch May 20, 2021 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@humitos humitos humitos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stsewd @humitos