Sanitize dynamic version value

[sanmai-NL]

Is your feature request related to a problem? Please describe.

https://pdm-backend.fming.dev/metadata/#writing-dynamic-version-to-file suggests a procedure for writing a package version to a file. Python source code generation is also described. Generating source code with unsanitized input is dangerous (CWE-20).

Describe the solution you'd like

As a security conscious developer, I want PDM to sanitize the version string that is replaced in the template, so that when something unexpected happens (e.g., env var is tainted in a CI pipeline), a code injection vulnerability is mitigated.

Besides the existing {} (‘raw string’) placeholder which puts the raw version characters in the file, add, e.g., a placeholder{str_version} that directly inserts a quoted (non-f-)string.

Warn when the raw string placeholder is used, both in the docs and at runtime.

Alternatively, deprecate the feature to write the version file according a template.

[frostming]

Your concern mostly makes sense. But IMO the situation is not worse than the setup.py style metadata. Anyway, PR welcomed.

[sanmai-NL]

That's true, but it would be nice if PDM would differentiate itself even at software security. 🙂 And not having offered the template feature or not providing an example of writing source code (security-by-default) would have be a low-cost way to avoid the risk.