uninstall_deps.py may be vulnerable to shutil.rmtree.avoids_symlink_attacks #38

Open
opened 2024-05-05 09:18:27 +02:00 by so-rose · 0 comments

Deleting the dependency folder is clean and easy, but there are apparently attacks where symbolic links can be manipulated to delete other things on a user's systems.

Whether this is practical is unknown, but it's worth investigating that our use of shutil.rmtree is valid and proper.

NOTE: Python does have auditing events internally, which can be hooked into.

Deleting the dependency folder is clean and easy, but there are apparently attacks where symbolic links can be manipulated to delete other things on a user's systems. Whether this is practical is unknown, but it's worth investigating that our use of `shutil.rmtree` is valid and proper. _NOTE: Python does have auditing events internally, which can be hooked into._
so-rose added the
bug
enhancement
architecture
question
distribution
labels 2024-05-05 09:18:27 +02:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: so-rose/oscillode#38
There is no content yet.