Merge pull request from GHSA-pq7m-3gw7-gq5x

Carreau · Carreau · commit 5fa1e409d2dc · 2022-01-19T14:36:19.000+01:00
FIX CVE-2022-21699
diff --git a/IPython/__init__.py b/IPython/__init__.py
@@ -65,6 +65,10 @@
 __license__  = release.license
 __version__  = release.version
 version_info = release.version_info
+# list of CVEs that should have been patched in this release.
+# this is informational and should not be relied upon.
+__patched_cves__ = {"CVE-2022-21699"}
+
 
 def embed_kernel(module=None, local_ns=None, **kwargs):
     """Embed and start an IPython kernel in a given scope.
diff --git a/IPython/core/application.py b/IPython/core/application.py
@@ -133,7 +133,7 @@ def _config_file_name_changed(self, change):
     config_file_paths = List(Unicode())
     @default('config_file_paths')
     def _config_file_paths_default(self):
-        return [os.getcwd()]
+        return []
 
     extra_config_file = Unicode(
     help="""Path to an extra config file to load.
diff --git a/IPython/core/profileapp.py b/IPython/core/profileapp.py
@@ -181,9 +181,10 @@ def list_profile_dirs(self):
         profiles = list_profiles_in(os.getcwd())
         if profiles:
             print()
-            print("Available profiles in current directory (%s):" % os.getcwd())
-            self._print_profiles(profiles)
-        
+            print(
+                "Profiles from CWD have been removed for security reason, see CVE-2022-21699:"
+            )
+
         print()
         print("To use any of the above profiles, start IPython with:")
         print("    ipython --profile=<name>")
diff --git a/IPython/core/profiledir.py b/IPython/core/profiledir.py
@@ -186,7 +186,7 @@ def find_profile_dir_by_name(cls, ipython_dir, name=u'default', config=None):
         is not found, a :class:`ProfileDirError` exception will be raised.
 
         The search path algorithm is:
-        1. ``os.getcwd()``
+        1. ``os.getcwd()`` # removed for security reason.
         2. ``ipython_dir``
 
         Parameters
@@ -198,7 +198,7 @@ def find_profile_dir_by_name(cls, ipython_dir, name=u'default', config=None):
             will be "profile_<profile>".
         """
         dirname = u'profile_' + name
-        paths = [os.getcwd(), ipython_dir]
+        paths = [ipython_dir]
         for p in paths:
             profile_dir = os.path.join(p, dirname)
             if os.path.isdir(profile_dir):
diff --git a/IPython/tests/cve.py b/IPython/tests/cve.py
@@ -0,0 +1,56 @@
+"""
+Test that CVEs stay fixed. 
+"""
+
+from IPython.utils.tempdir import TemporaryDirectory, TemporaryWorkingDirectory
+from pathlib import Path
+import random
+import sys
+import os
+import string
+import subprocess
+import time
+
+def test_cve_2022_21699():
+    """
+    Here we test CVE-2022-21699.
+
+    We create a temporary directory, cd into it. 
+    Make a profile file that should not be executed and start IPython in a subprocess, 
+    checking for the value.
+
+
+
+    """
+
+    dangerous_profile_dir = Path('profile_default')
+
+    dangerous_startup_dir = dangerous_profile_dir / 'startup'
+    dangerous_expected = 'CVE-2022-21699-'+''.join([random.choice(string.ascii_letters) for i in range(10)])
+
+    with TemporaryWorkingDirectory() as t:
+        dangerous_startup_dir.mkdir(parents=True)
+        (dangerous_startup_dir/ 'foo.py').write_text(f'print("{dangerous_expected}")')
+        # 1 sec to make sure FS is flushed.
+        #time.sleep(1)
+        cmd = [sys.executable,'-m', 'IPython']
+        env = os.environ.copy()
+        env['IPY_TEST_SIMPLE_PROMPT'] = '1'
+
+
+        # First we fake old behavior, making sure the profile is/was actually dangerous
+        p_dangerous = subprocess.Popen(cmd + [f'--profile-dir={dangerous_profile_dir}'], env=env, stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        out_dangerous, err_dangerouns = p_dangerous.communicate(b"exit\r")
+        assert dangerous_expected in out_dangerous.decode()
+
+        # Now that we know it _would_ have been dangerous, we test it's not loaded
+        p = subprocess.Popen(cmd, env=env, stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        out, err = p.communicate(b"exit\r")
+        assert b'IPython' in out
+        assert dangerous_expected not in out.decode()
+        assert err == b''
+
+
+
diff --git a/docs/source/whatsnew/version7.rst b/docs/source/whatsnew/version7.rst
@@ -2,6 +2,14 @@
  7.x Series
 ============
 
+=======
+.. _version 7.16.3:
+
+IPython 7.16.3 (CVE-2022-21699)
+===============================
+
+Fixed CVE-2022-21699, see IPython 8.0.1 release notes for informations.
+
 .. _version 716:
 
 IPython 7.16.1, 7.16.2
