-
-
Notifications
You must be signed in to change notification settings - Fork 207
Open
Description
Even if load_config_file
is given an absolute path to a config file, it will load all files that have the same basename that are in that directory.
This is highly surprising and potentially a security issue.
Example:
from pathlib import Path
from traitlets import Integer
from traitlets.config import Application
from tempfile import TemporaryDirectory
class Foo(Application):
bar = Integer(0).tag(config=True)
def start(self):
print(self.bar)
if __name__ == "__main__":
with TemporaryDirectory() as tmpdir:
tmpdir = Path(tmpdir)
json_path = tmpdir / "foo.json"
py_path = tmpdir / "foo.py"
# valid python, invalid
py_path.write_text("c.Foo.bar = 10")
json_path.write_text("Invalid json")
app = Foo()
app.load_config_file(py_path)
app.start()
# other way around
py_path.write_text("raise Exception('You loaded the python file!')")
json_path.write_text('{"Foo": {"bar": 11}}')
app = Foo()
app.load_config_file(json_path)
app.start()
Metadata
Metadata
Assignees
Labels
No labels