Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #123 from MichaelAquilina/fix/insecure_activation
fix: insecure activation of virtualenvs
  • Loading branch information
MichaelAquilina committed Jan 7, 2020
2 parents 93776cf + 05af733 commit 30c77db
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 2 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.rst
@@ -1,6 +1,10 @@
Changelog
=========

1.16.0
------
* Fix insecure activation of virtualenvs (#122)

1.15.2
------
* Use absolute path for ``/usr/bin/stat`` to prevent conflicts with other ``stat`` binaries. Fixes #110
Expand Down
20 changes: 18 additions & 2 deletions autoswitch_virtualenv.plugin.zsh
@@ -1,4 +1,4 @@
export AUTOSWITCH_VERSION="1.15.2"
export AUTOSWITCH_VERSION="1.16.0"
export AUTOSWITCH_FILE=".venv"

RED="\e[31m"
Expand All @@ -8,6 +8,20 @@ BOLD="\e[1m"
NORMAL="\e[0m"


function _validated_source() {
local target_path="$1"

if [[ "$target_path" == *'..'* ]]; then
printf "AUTOSWITCH WARNING: "
printf "target virtualenv contains invalid characters\n"
printf "virtualenv activation cancelled\n"
return
else
source "$target_path"
fi
}


function _virtual_env_dir() {
local venv_name="$1"
local VIRTUAL_ENV_DIR="${AUTOSWITCH_VIRTUAL_ENV_DIR:-$HOME/.virtualenvs}"
Expand Down Expand Up @@ -93,7 +107,9 @@ function _maybeworkon() {
fi

# Much faster to source the activate file directly rather than use the `workon` command
source "$venv_dir/bin/activate"
local activate_script="$venv_dir/bin/activate"

_validated_source "$activate_script"
fi
}

Expand Down
12 changes: 12 additions & 0 deletions tests/test_maybeworkon.zunit
Expand Up @@ -23,6 +23,18 @@
rm -rf "$TARGET"
}

@test '_maybeworkon - do not activate paths which are potentially inscure' {
VIRTUAL_ENV=""

run _maybeworkon "$TARGET/../../../" virtualenv

assert $state equals 0

# first line would be the "switching virtualenv: ...."
assert "${lines[2]}" same_as "AUTOSWITCH WARNING: target virtualenv contains invalid characters"
assert "${lines[3]}" same_as "virtualenv activation cancelled"
}

@test '_maybeworkon - error message if virtualenv can not be found' {
VIRTUAL_ENV=""

Expand Down

0 comments on commit 30c77db

Please sign in to comment.