-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bad character range a-b at position X in _expand_args when brackets included #2135
Comments
Another proposed implementation: Inside an option, expose this: @click.option(expand_args=False) to allow explicit bypass of this behavior (I was looking through the code to figure out how to do this, but there is a lot more going on than I thought :)) And inside the function: glob_arg = arg if expand_args else escape(arg)
matches = glob(glob_arg, recursive=True) |
See #1901 |
So, that is supported? And should we consider the security vulnerability aspects of this? |
Yes, expanding globs on Windows is supported internally, since the Windows shell doesn't do it. #1918 added a way to disable it. Escaping the values before passing them to glob would completely defeat the purpose. I'm unclear how it could be a security issue, the user controls what values they pass to the command on their own machine. Please review https://github.com/pallets/click/security/policy for how to report security issues. This is not the appropriate venue for that, and you'll need to be much more specific. |
Apologies, but it took a while to figure out how to implement #1918. Is it possible to expand on documentation for it? Or is it already there and I am just bad at finding it? :) For us, we had to do this: main = click.CommandCollection(sources=[scripts, plugins])
if __name__ == "__main__":
sys.exit(main(windows_expand_args=False)) |
You don't need |
Hmm... we're having issues with this fix in another one of our environments. Thank you for all the pointers. |
Yep. Our code path problem. So, following up, why wouldn’t we want to expose this at a click option level? That is, be able to suppress/enable as a keyword arg per option? |
Because it doesn't happen at the option level, it happens once before parsing |
Follow up in #2195, bad patterns will be left as-is instead of causing an error. |
After upgrade from click-7.x to click-8.x, we are experiencing a failure due to glob blindly parsing arguments that include regex patterns.
Example Input: (see minimum code example, below)
This was rootcaused to a new line inside the new helper
click/utils.py::_expand_args
:Minimum Working Example
A couple things, here:
Proposal
Sanitize the call to glob:
This removes the security vulnerability and doesn't do some hidden regex underneath the hood, before data makes it to the user.
It's worth noting, escaping the brackets also works:
\[some-string\]
, but we would need to escape any regex character, which may not be feasible in all environments.When attempting to repro this via a unit test, Click CliRunner does not hit the same issue. This could be a different bug. I had to use
subprocess
to hit the issue.Environment:
The text was updated successfully, but these errors were encountered: