Sanitize dynamic version value #183
Labels
enhancement
New feature or request
Comments
sanmai-NL
changed the title
frostming
changed the title
|
Your concern mostly makes sense. But IMO the situation is not worse than the |
|
That's true, but it would be nice if PDM would differentiate itself even at software security. 🙂 And not having offered the template feature or not providing an example of writing source code (security-by-default) would have be a low-cost way to avoid the risk. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
https://pdm-backend.fming.dev/metadata/#writing-dynamic-version-to-file suggests a procedure for writing a package version to a file. Python source code generation is also described. Generating source code with unsanitized input is dangerous (CWE-20).
Describe the solution you'd like
As a security conscious developer, I want PDM to sanitize the version string that is replaced in the template, so that when something unexpected happens (e.g., env var is tainted in a CI pipeline), a code injection vulnerability is mitigated.
Besides the existing
{}(‘raw string’) placeholder which puts the raw version characters in the file, add, e.g., a placeholder{str_version}that directly inserts a quoted (non-f-)string.Warn when the raw string placeholder is used, both in the docs and at runtime.
Alternatively, deprecate the feature to write the version file according a template.
The text was updated successfully, but these errors were encountered: