17
18
19def bump_version(version: str) -> None:
20 version = subprocess.run(21 ['poetry', 'version', '-s', version], cwd=CWD, capture_output=True22 ).stdout.decode().strip()23
24 with open(CWD / 'nukeserversocket' / 'version.py', 'w') as f:
25 f.write(f"__version__ = '{version}'")
10
11
12def build() -> None:
13 subprocess.run(14 ['git', 'archive', '-o', f'{DIST}/nukeserversocket.zip', 'HEAD'],15 cwd=CWD16 )17
18
19def bump_version(version: str) -> None:
17
18
19def bump_version(version: str) -> None:
20 version = subprocess.run(21 ['poetry', 'version', '-s', version], cwd=CWD, capture_output=True22 ).stdout.decode().strip()23
24 with open(CWD / 'nukeserversocket' / 'version.py', 'w') as f:
25 f.write(f"__version__ = '{version}'")
10
11
12def build() -> None:
13 subprocess.run(14 ['git', 'archive', '-o', f'{DIST}/nukeserversocket.zip', 'HEAD'],15 cwd=CWD16 )17
18
19def bump_version(version: str) -> None:
Python possesses many mechanisms to invoke an external executable. If the desired executable path is not fully qualified relative to the filesystem root then this may present a potential security risk.
In POSIX environments, the PATH environment variable is used to specify a set of standard locations that will be searched for the first matching named executable. While convenient, this behavior may allow a malicious actor to exert control over a system. If they are able to adjust the contents of the PATH variable, or manipulate the file system, then a bogus executable may be discovered in place of the desired one. This executable will be invoked with the user privileges of the Python process that spawned it, potentially a highly privileged user.
This test will scan the parameters of all configured Python methods, looking for paths that do not start at the filesystem root, that is, do not have a leading ‘/’ character.
import subprocess
subprocess.run(['calculator', '-u', 'critical', msg], check=True) # Sensitive, Path not qualified from root
import subprocess
subprocess.run(['/usr/bin/calculator', '-u', 'critical', msg], check=True) # Path qualified from root