readthedocs.org icon indicating copy to clipboard operation
readthedocs.org copied to clipboard

Published 20 hours ago verified publisher icon readthedocs

Filenames containing `'` makes the build to fail

Open 473867143 opened this issue 4 years ago • 6 comments

Details:

  • Project URL: https://readthedocs.org/projects/prometheus300/
  • Build URL(if applicable): https://readthedocs.org/projects/prometheus300/builds/12635694/
  • Read the Docs username(if applicable): amovlab2019

Expected Result

A description of what you wanted to happen

Actual Result

A description of what actually happened

473867143 avatar Dec 25 '20 10:12 473867143

Hi! I just found there is a problem with the filenames that contains ' on its name.

This is the call that fails in our code:

>>> import shlex
>>> shlex.split("/bin/sh -c 'cd /home/docs/checkouts/readthedocs.org/user_builds/mactest1/checkouts/latest/docs/_build/latex && PATH=/home/docs/checkouts/readthedocs.org/user_builds/mactest1/envs/latest/bin:$PATH extractbb Gino\\'s.png'")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.9/shlex.py", line 315, in split
    return list(lex)
  File "/usr/lib/python3.9/shlex.py", line 300, in __next__
    token = self.get_token()
  File "/usr/lib/python3.9/shlex.py", line 109, in get_token
    raw = self.read_token()
  File "/usr/lib/python3.9/shlex.py", line 191, in read_token
    raise ValueError("No closing quotation")
ValueError: No closing quotation
>>>

As a workaround, you could change those filenames to remove the quote.

humitos avatar Dec 28 '20 10:12 humitos

From the man page

A single quote may not occur between single quotes, even when preceded by a backslash.

From SO https://stackoverflow.com/questions/8254120/how-to-escape-a-single-quote-in-single-quote-string-in-bash

we could solve this by escaping single quotes as '\\'' instead of \\', it works with several consecutive single quotes as well.

>>> shlex.split("'I'\\''m here'\\'''\\'''\\'' quote'")
["I'm here''' quote"]

Doesn't look like is possible to generate a command injection with this, just an invalid syntax error. We could also try to get rid of the prefix and rely on shlex.quote/split https://github.com/readthedocs/readthedocs.org/blob/b586cf01482af58c534b4e0a3f60af1eb704dbfe/readthedocs/doc_builder/environments.py#L365-L365

stsewd avatar May 20 '21 23:05 stsewd

Today we hit the same issue when running extractbb for project images when building the PDF (@astrojuanlu handle this with a user). As these commands are not shown to the user, it's super hard to realize/understand what went wrong. There is no other option than contact support to understand what happened.

humitos avatar Jan 25 '22 15:01 humitos

The build of the original poster does not seem to exist anymore, but this problem appeared again on https://readthedocs.org/projects/nrn-rrn-docs/builds/15877822/, since there are a couple of files with apostrophes in the name: "modèle_d'échange_de_données.png" and "exemple_d'une_mise_à_jour.png" https://github.com/jessestewart1/nrn-rrn/blob/ea070c3fcbb3ad62604c1b70b68abe729f95bf0a/docs/source/static/figures/exemple_d'une_mise%C3%A0_jour.png

The build failure is opaque to the user, it can only be seen by studying the logs.

astrojuanlu avatar Jan 25 '22 15:01 astrojuanlu

Sentry issue: READTHEDOCS-ORG-PGC

sentry-io[bot] avatar Sep 07 '22 14:09 sentry-io[bot]