so-rose/oscillode
1
0
Fork 0
Code Issues 50 Pull requests Projects Releases Packages Wiki Activity

uninstall_deps.py may be vulnerable to shutil.rmtree.avoids_symlink_attacks #38

New issue
Open
opened 2024-05-05 09:18:27 +02:00 by so-rose · 0 comments
so-rose commented 2024-05-05 09:18:27 +02:00
Owner
Copy link

Deleting the dependency folder is clean and easy, but there are apparently attacks where symbolic links can be manipulated to delete other things on a user's systems.

Whether this is practical is unknown, but it's worth investigating that our use of shutil.rmtree is valid and proper.

NOTE: Python does have auditing events internally, which can be hooked into.

Deleting the dependency folder is clean and easy, but there are apparently attacks where symbolic links can be manipulated to delete other things on a user's systems. Whether this is practical is unknown, but it's worth investigating that our use of `shutil.rmtree` is valid and proper. _NOTE: Python does have auditing events internally, which can be hooked into._
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
uv-refactor
No results found.
Labels
Clear labels   
abstractions

Related to the functionality of the abstractions used to make node/socket design tolerable.

  
architecture

Related to the internal approach / structuring of functionality.

  
bug

Something that isn't working.

  
distribution

Related to processes that gets the software into the hands of users.

  
docs

Related to the documentation, both reference and user-facing.

  
duplicate

An issue that already exists.

  
enhancement

Something to improve existing functionality.

  
feature

A feature to implement ex. node, socket, etc. .

  
physical

Related to the physical correctness or modelling of the tool.

  
proposal

A proposal for a large/radical feature or change, to explain the why/how/status.

  
question

A question for a more qualified person.

  
simulation

A particular simulation-based test, benchmark, or project of real-world significance.

  
tooling

Related to the developer tooling that keeps the developer's mind sane and happy.

  
tracker

Aggregating tracker for other Issues.

  
unconfirmed

Don't know exactly what's going on yet - ideal for ex. user reports.

  
ux

Related to the user experience, visual communication, etc. .

  
wontfix

Something that doesn't work that won't be fixed, on purpose.

No labels
abstractions
architecture
bug
distribution
docs
duplicate
enhancement
feature
physical
proposal
question
simulation
tooling
tracker
unconfirmed
ux
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: so-rose/oscillode#38
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?