Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import self version check eagerly in install command to fix ACE #13085

Merged
merged 4 commits into from
Dec 7, 2024
Merged

Import self version check eagerly in install command to fix ACE #13085

merged 4 commits into from
Dec 7, 2024

Conversation

calebbrown
Copy link
Contributor

Fixes #13079 by moving the import to the top of the module so that it is imported when install.py is imported.

Preserve the comment as it is still relevant and add a note about preventing arbitrary code execution.

@calebbrown
Move self_outdated_check import to the top to stop WHL exec on install.
d7bdc0d 
Fixes pypa#13079.

Signed-off-by: Caleb Brown <calebbrown@google.com>
@calebbrown
Add trivial news file.
dbe82c6 
Signed-off-by: Caleb Brown <calebbrown@google.com>
@calebbrown
Fix ruff linter error.
33acb37 
Signed-off-by: Caleb Brown <calebbrown@google.com>
ichard26
ichard26 approved these changes Nov 18, 2024
View reviewed changes
Copy link
Member

@ichard26 ichard26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be worth it to include a news entry for this change? Technically this fixes a security vulnerability although I presume it hasn't been used in the wild.

@calebbrown
Populate a bugfix news entry.
0f7bc6a 
Signed-off-by: Caleb Brown <calebbrown@google.com>
@calebbrown
Copy link
Contributor Author

Sure. Added.

@calebbrown calebbrown requested a review from ichard26 November 20, 2024 00:07
@notatallshaw notatallshaw added this to the 25.0 milestone Nov 21, 2024
ichard26
ichard26 approved these changes Dec 7, 2024
View reviewed changes
Copy link
Member

@ichard26 ichard26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the sluggish progress here.

@ichard26 ichard26 changed the title Move self_outdated_check import to the top to stop WHL exec on install. Import self version check eagerly in install command to fix RCE Dec 7, 2024
@ichard26 ichard26 merged commit 634bf25 into pypa:main Dec 7, 2024
32 checks passed
@ichard26
Copy link
Member

ichard26 commented Dec 7, 2024

And that's my first merge! A little scary if I'm being honest, but it does bring me back to the days where I used to maintain black :)

@ichard26
Copy link
Member

ichard26 commented Dec 7, 2024

And duh, I immediately spot a typo after I merge. It should really read ACE (arbitrary code execution), not RCE (remote code execution). 🙃

@ichard26 ichard26 changed the title Import self version check eagerly in install command to fix RCE Import self version check eagerly in install command to fix ACE Dec 7, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ichard26 ichard26 ichard26 approved these changes

@notatallshaw notatallshaw notatallshaw approved these changes

@pradyunsg pradyunsg pradyunsg approved these changes

Assignees
No one assigned
Labels
bot:chronographer:provided
Projects
None yet
Milestone
25.0
Development

Successfully merging this pull request may close these issues.

Lazy import allows wheel to execute code on install.
4 participants
@calebbrown @ichard26 @pradyunsg @notatallshaw