diff options
| author | Mike Salvatore <mike.s.salvatore@gmail.com> | 2022-09-18 19:30:03 -0400 |
|---|---|---|
| committer | Mike Salvatore <mike.s.salvatore@gmail.com> | 2022-09-18 19:30:03 -0400 |
| commit | 4249da1ecfaca9541d64f0d3c7f08fb22e73e3b9 (patch) | |
| tree | 8263e1b19f96844f8e6fded9c1a1f8932a5c129b /setuptools/config | |
| parent | ba3995e5705a22e13bb5d2231ac22c77e4417747 (diff) | |
| download | python-setuptools-git-4249da1ecfaca9541d64f0d3c7f08fb22e73e3b9.tar.gz | |
Catch an edge case in expand._assert_local()
Using str.startswith() has an edge case where someone can access files
outside the root directory. For example, consider the case where the
root directory is "/home/user/my-package" but some secrets are stored in
"/home/user/my-package-secrets". Evaluating a check that
"/home/user/my-package-secrets".startswith("/home/user/my-package") will
return True, but the statement's intention is that no file outside of
"/home/user/my-package" can be accessed.
Using pathlib.Path.resolve() and pathlib.Path.parents eliminates this
edge case.
Diffstat (limited to 'setuptools/config')
| -rw-r--r-- | setuptools/config/expand.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/setuptools/config/expand.py b/setuptools/config/expand.py index 384504d8..1497b20c 100644 --- a/setuptools/config/expand.py +++ b/setuptools/config/expand.py @@ -41,6 +41,7 @@ from typing import ( Union, cast ) +from pathlib import Path from types import ModuleType from distutils.errors import DistutilsOptionError @@ -150,7 +151,9 @@ def _read_file(filepath: Union[bytes, _Path]) -> str: def _assert_local(filepath: _Path, root_dir: str): - if not os.path.abspath(filepath).startswith(root_dir): + # NOTE: Path.resolve() will raise RuntimeError if an infinite loop is + # encountered along the resolution path of root_dir or file_path. + if Path(root_dir).resolve() not in Path(filepath).resolve().parents: msg = f"Cannot access {filepath!r} (or anything outside {root_dir!r})" raise DistutilsOptionError(msg) |