Skip to content

Fix broken symlinks in Poetry installer command #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bortlicenseplates wants to merge 2 commits into
base: main
Choose a base branch
from
+1 −1
Open

Fix broken symlinks in Poetry installer command #4

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a984a53
Fix broken symlinks in Poetry installer command
bortlicenseplates Feb 19, 2026
33f99b7
use single quotes to prevent command substitution
bortlicenseplates Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion hooks/post_install.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ function PLUGIN:PostInstall(ctx)
set -e

# Run the Poetry installer
curl -sSL https://install.python-poetry.org | POETRY_HOME="%s" python3 - --version "%s"
curl -sSL https://install.python-poetry.org | sed 's/symlinks=False/symlinks=True/' | POETRY_HOME="%s" python3 - --version "%s"
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

This line is vulnerable to critical command injection. The install_path and version variables are injected into a bash script using string.format without proper shell escaping. If an attacker can control the version string or if the installation path contains shell metacharacters, they can execute arbitrary commands. It is highly recommended to sanitize these variables or use a robust shell-escaping mechanism. Additionally, the sed patching approach is brittle and could fail silently if the upstream install.python-poetry.org script changes its format. Consider improving the sed command to be more flexible with whitespace and adding an explanatory comment acknowledging its fragility.

# Patch installer to enable symlinks (https://github.com/mise-plugins/vfox-poetry/issues/3)
# This is fragile and may break if the installer script changes.
curl -sSL https://install.python-poetry.org | sed -E 's/symlinks[[:space:]]*=[[:space:]]*False/symlinks=True/' | POETRY_HOME="%s" python3 - --version "%s"

Copy link
Copy Markdown
Author

@bortlicenseplates bortlicenseplates Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The external dependency is already likely to break. Putting pressure on the poetry-install maintainers to fix this issue python-poetry/install.python-poetry.org#24 is probably the "right" solution. Forking and patching the script could also work, but that's a lot more work to maintain. IMO until python-poetry/install.python-poetry.org#24 is fixed, this is the correct solution.


# Configure poetry for mise compatibility
# For Poetry >= 2.0.0, use virtualenvs.use-poetry-python false
Expand Down