Re-allow paths in .python-version provided that they resolve to within the versions dir (#2442)

* Fixes #2430 while still preventing CVE-2022-35861 * Adds a skipped version message to stderr Co-authored-by: Ivan Pozdeev <vano@mail.mipt.ru>
2025-11-12 21:33:54 -05:00 · 2022-09-03 14:37:53 -05:00
parent fdabd14c2b
commit 47b0ce77c0
2 changed files with 48 additions and 11 deletions
--- a/test/version-file-read.bats
+++ b/test/version-file-read.bats
@@ -83,14 +83,36 @@ IN
  assert_success "3.9.3:3.8.9:2.7.16"
 }

-@test "skips relative path traversal" {
+@test "skips \`..' relative path traversal" {
+  echo '..' > my-version
+  run pyenv-version-file-read my-version
+  assert_failure "pyenv: invalid version \`..' ignored in \`my-version'"
+}
+
+@test "skips glob path traversal" {
  cat > my-version <<IN
+../*
 3.9.3
-3.8.9
-  ..
-./*
-2.7.16
 IN
  run pyenv-version-file-read my-version
-  assert_success "3.9.3:3.8.9:2.7.16"
+  assert_success <<OUT
+pyenv: invalid version \`../\*' ignored in \`my-version'
+3.9.3
+OUT
+}
+
+@test "allows relative paths that exist and stay within versions" {
+  venv=3.10.3/envs/../test
+  mkdir -p "${PYENV_ROOT}/versions/${venv}"
+  echo -n "${venv}" > my-version
+  run pyenv-version-file-read my-version
+  assert_success "${venv}"
+}
+
+@test "skips relative paths that lead outside of versions" {
+  venv=../3.10.3/envs/test
+  mkdir -p "${PYENV_ROOT}/versions/${venv}"
+  echo -n "${venv}" > my-version
+  run pyenv-version-file-read my-version
+  assert_failure
 }