Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security issue in pipx caused by misstyping command names
See original GitHub issueInitially sent as email to @cs01, but reposting here per his request. The initial report was:
I’ve noticed that pipx is vulnerable to RCE if someone misstypes a command. I did type pipx upgrade_all out of mistake and if pypi would have had an upgrade_all package pipx would download and run it. I realize this is a “feature”, but I do not think a simple typo in the command arguments like this should cause an issue. What do you think about moving pipx BINARY towards pipx run BINARY, in this case the intent is explicit and it is clearer that BINARY will download something and the changes for typos are less.
I realize that it is kinda weird to call this a security issue since pipx does download and execute software anyways, but it would be nice to guard against simple typos nevertheless.
Another option, suggested by @cs01 in our conversation, would be to add code to detect typos and then prevent execution unless --force (or similar) is passed. From a pure technical point I think introducing run would be easier and less error prone.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Option 1: replace
pipx BINARYwithpipx run BINARY(please vote with thumbs up/down)
Looks like we have a winner 🎉. @apollo13 thanks for bringing this up. I will implement it.