Package: azure-cli
Version: 2.33.0-1
Tags: security
az(1) can't be used securely when the current working directory is
untrusted (e.g. /tmp), because it loads code from cwd:
Proof of concept:
$ echo 'raise RuntimeError("pwned")' > azure.py
$ az --help
Traceback (most recent call last):
File "/usr/lib/python3.9/runpy.py", line 188, in _run_module_as_main
mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
File "/usr/lib/python3.9/runpy.py", line 111, in _get_module_details
__import__(pkg_name)
File "/home/jwilk/azure.py", line 1, in <module>
raise RuntimeError("pwned")
RuntimeError: pwned
This happens because az(1) does:
os.execl(sys.executable, sys.executable, '-m', 'azure.cli', *sys.argv[1:])
The -m option adds cwd to the start of sys.path, as documented:
https://docs.python.org/3/using/cmdline.html#cmdoption-m
Something like this could be probably used instead:
import runpy
runpy.run_module('azure.cli')
--
Jakub Wilk
