Fix broken symlinks in Poetry installer command#4
Fix broken symlinks in Poetry installer command#4bortlicenseplates wants to merge 2 commits intomise-plugins:mainfrom
Conversation
Updated Poetry installation command to enable symlinks. Fixes issue mise-plugins#3
Summary of ChangesHello @bortlicenseplates, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves an issue where Poetry installations were encountering broken symlinks. The change modifies the Poetry installation command to ensure that symlinks are correctly enabled during the setup process, thereby fixing compatibility problems and ensuring proper functionality. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
@gemini-code-assist review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to fix broken symlinks during Poetry installation by enabling symlinks in the installer. It also addresses a critical issue where the original model response incorrectly returned the schema definition itself, with the properties field at the top level, instead of a valid JSON object conforming to the specified schema. For the symlink fix, the current use of sed to modify the installer script is fragile; a more robust solution would be to leverage the --symlinks flag provided by the installer.
There was a problem hiding this comment.
Code Review
This pull request aims to fix broken symlinks in the Poetry installer. However, the current approach introduces a critical command injection vulnerability. The installation script construction is vulnerable because it concatenates variables into a shell script without proper escaping, specifically using double quotes in hooks/post_install.lua which allows command substitution. A similar, more critical vulnerability exists in hooks/env_keys.lua which could lead to Remote Code Execution (RCE). Additionally, the use of sed to modify the installer script on the fly is brittle and may break with upstream changes. It is recommended to implement robust shell escaping for all variables in shell commands and consider more stable methods for enabling symlinks.
There was a problem hiding this comment.
Code Review
This pull request aims to fix an issue with broken symlinks during Poetry installation by patching the installer script on the fly using sed. However, the modified line introduces a critical command injection vulnerability where user-controlled variables (installation path and version) are injected into a shell script without proper escaping. This sed patching approach is also inherently fragile and could break if the upstream installer script changes. Furthermore, similar critical command injection vulnerabilities were identified in hooks/env_keys.lua (via the pyproject option) and other parts of hooks/post_install.lua (via os.execute calls) that should be addressed to ensure the overall security of the plugin.
hooks/post_install.lua
Outdated
|
|
||
| # Run the Poetry installer | ||
| curl -sSL https://install.python-poetry.org | POETRY_HOME="%s" python3 - --version "%s" | ||
| curl -sSL https://install.python-poetry.org | sed 's/symlinks=False/symlinks=True/' | POETRY_HOME="%s" python3 - --version "%s" |
There was a problem hiding this comment.
This line is vulnerable to critical command injection. The install_path and version variables are injected into a bash script using string.format without proper shell escaping. If an attacker can control the version string or if the installation path contains shell metacharacters, they can execute arbitrary commands. It is highly recommended to sanitize these variables or use a robust shell-escaping mechanism. Additionally, the sed patching approach is brittle and could fail silently if the upstream install.python-poetry.org script changes its format. Consider improving the sed command to be more flexible with whitespace and adding an explanatory comment acknowledging its fragility.
# Patch installer to enable symlinks (https://github.com/mise-plugins/vfox-poetry/issues/3)
# This is fragile and may break if the installer script changes.
curl -sSL https://install.python-poetry.org | sed -E 's/symlinks[[:space:]]*=[[:space:]]*False/symlinks=True/' | POETRY_HOME="%s" python3 - --version "%s"
There was a problem hiding this comment.
The external dependency is already likely to break. Putting pressure on the poetry-install maintainers to fix this issue python-poetry/install.python-poetry.org#24 is probably the "right" solution. Forking and patching the script could also work, but that's a lot more work to maintain. IMO until python-poetry/install.python-poetry.org#24 is fixed, this is the correct solution.
1 participant
Updated Poetry installation command to enable symlinks. Fixes issue #3