Static analysis flags command injection vulnerability in build.py

[tomashek]

Static analysis is flagging this code section as being vulnerable to command injection:

build.py (101-105):

llvm_config = os.environ.get('LLVM_CONFIG', 'llvm-config') print("LLVM version... ", end='') sys.stdout.flush() try: out = subprocess.check_output([llvm_config, '--version'])

The value of the env variable LLVM_CONFIG is directly used for an executable.

[seibert]

Not sure if there is anything we can do here, since that is the point of the option: to allow someone during the package build process to override any llvm-config detected in the path.

[seibert]

In principle, we don't have to ship this .py file with the finished package, though.

[seibert]

@sklam has just reminded me that the ffi directory should only appear in the source distribution, not in the binary conda package or wheel.

[tomashek]

I understand the exposure is very limited to build environments, but that still poses a risk to those using these sources in their CI, right? Is there a way to limit the options for what is executed or in some other way validate or scrub the "input" from the env variable?