so-rose
/
oscillode
1
0
Fork 0
Code Issues 50 Pull Requests Packages Projects Releases Wiki Activity

uninstall_deps.py may be vulnerable to shutil.rmtree.avoids_symlink_attacks #38

New Issue
Open
opened 2024-05-05 09:18:27 +02:00 by so-rose · 0 comments
so-rose commented 2024-05-05 09:18:27 +02:00
Owner

Deleting the dependency folder is clean and easy, but there are apparently attacks where symbolic links can be manipulated to delete other things on a user's systems.

Whether this is practical is unknown, but it's worth investigating that our use of shutil.rmtree is valid and proper.

NOTE: Python does have auditing events internally, which can be hooked into.

Deleting the dependency folder is clean and easy, but there are apparently attacks where symbolic links can be manipulated to delete other things on a user's systems. Whether this is practical is unknown, but it's worth investigating that our use of `shutil.rmtree` is valid and proper. _NOTE: Python does have auditing events internally, which can be hooked into._
so-rose added the
bug
enhancement
architecture
question
distribution
 labels 2024-05-05 09:18:27 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
uv-refactor
main
Labels
Clear labels   
abstractions

Related to the functionality of the abstractions used to make node/socket design tolerable.   
architecture

Related to the internal approach / structuring of functionality.   
bug

Something that isn't working.   
distribution

Related to processes that gets the software into the hands of users.   
docs

Related to the documentation, both reference and user-facing.   
duplicate

An issue that already exists.   
enhancement

Something to improve existing functionality.   
feature

A feature to implement ex. node, socket, etc. .   
physical

Related to the physical correctness or modelling of the tool.   
proposal

A proposal for a large/radical feature or change, to explain the why/how/status.   
question

A question for a more qualified person.   
simulation

A particular simulation-based test, benchmark, or project of real-world significance.   
tooling

Related to the developer tooling that keeps the developer's mind sane and happy.   
tracker

Aggregating tracker for other Issues.   
unconfirmed

Don't know exactly what's going on yet - ideal for ex. user reports.   
ux

Related to the user experience, visual communication, etc. .   
wontfix

Something that doesn't work that won't be fixed, on purpose.
No Label
abstractions
architecture
bug
distribution
docs
duplicate
enhancement
feature
physical
proposal
question
simulation
tooling
tracker
unconfirmed
ux
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: so-rose/oscillode#38
There is no content yet.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?