Update setup.py #52944
Update setup.py #52944
Conversation
|
你的PR提交成功,感谢你对开源项目的贡献! |
|
❌ The PR is not created using PR's template. You can refer to this Demo. |
|
|
|
Thank you for reporting this vulnerability. You can change the logic of python/setup.py.in synchronously,the same problem may exist . When all the CI have passed, you can ask me for approval. |
|
Sorry to inform you that b302eb2's CIs have passed for more than 7 days. To prevent PR conflicts, you need to re-run all CIs manually. |
Hello, I found the use of the os. open() function in the setup.py file while using the code, which can execute system commands. When input parameters are not strictly filtered, it may lead to the execution of arbitrary system commands, forming a command injection vulnerability.
Vulnerability principle:
os. open() can execute system commands. Without properly filtering user input, if the user concatenates their input as a parameter of the system command into the command line, it can cause a vulnerability in command injection. For example, if the user inputs a parameter of "ls - l; ping 1.2.3.4", both instructions will be executed, and the user can independently control the form of the second command, which endangers system security.
Repair suggestions:
Use shlex. quote() to strictly filter the input of the function. The function's functions include adding single quotes to the outermost layer of the string to make it appear as a single entity, and using double quotes to enclose single quotes within the string to prevent it from losing its possible closure function.