run_release.py builds remote shell command strings for release publication.
Several values are interpolated directly into those command strings, including
release credential environment values, the release tag, and remote staging paths
derived from release-manager state.
Those values are normally trusted release-process inputs, but quoting them
consistently makes the generated commands safer and more predictable when a
value contains whitespace or shell metacharacters.
Reproducer
Using mocked Paramiko clients:
- Set the python.org API credential value to contain shell metacharacters, such
as user:key; echo unexpected.
- Make the fake Sigstore issuer return a token containing shell metacharacters,
such as token; touch /tmp/unexpected.
- Run the python.org upload step and capture the command sent to
exec_command().
- The captured command includes those values unquoted in
AUTH_INFO=... and
SIGSTORE_IDENTITY_TOKEN=... assignments.
Similar mocked tests can set the release-manager SSH username to a value with a
metacharacter and observe that derived staging paths are inserted into cleanup,
copy, unzip, move, group, and permission commands without quoting.
Expected behavior
Release-tool commands should quote environment values, release arguments, and
remote filesystem paths before sending command strings to the remote shell,
while preserving intentional glob expansion for staged artifact copies.
run_release.pybuilds remote shell command strings for release publication.Several values are interpolated directly into those command strings, including
release credential environment values, the release tag, and remote staging paths
derived from release-manager state.
Those values are normally trusted release-process inputs, but quoting them
consistently makes the generated commands safer and more predictable when a
value contains whitespace or shell metacharacters.
Reproducer
Using mocked Paramiko clients:
as
user:key; echo unexpected.such as
token; touch /tmp/unexpected.exec_command().AUTH_INFO=...andSIGSTORE_IDENTITY_TOKEN=...assignments.Similar mocked tests can set the release-manager SSH username to a value with a
metacharacter and observe that derived staging paths are inserted into cleanup,
copy, unzip, move, group, and permission commands without quoting.
Expected behavior
Release-tool commands should quote environment values, release arguments, and
remote filesystem paths before sending command strings to the remote shell,
while preserving intentional glob expansion for staged artifact copies.