Merge pull request #1 from ActiveState/BE-5124-2024-53899

First pass at hand cherry-picking 86ddded…

Author: icanhasmath

docs/changelog/2768.bugfix.rst

@@ -0,0 +1,2 @@
+Properly quote string placeholders in activation script templates to mitigate
+potential command injection - by :user:`y5c4l3`.

pyproject.toml

@@ -17,3 +17,8 @@ directory = "docs/changelog"
 title_format = false
 issue_format = "`#{issue} <https://github.com/pypa/virtualenv/issues/{issue}>`_"
 template = "docs/changelog/template.jinja2"
+
+[tool.ruff]
+lint.per-file-ignores."src/virtualenv/activation/python/activate_this.py" = [
+  "F821", # ignore undefined template string placeholders
+]

src/virtualenv/activation/bash/activate.sh

@@ -44,14 +44,14 @@ deactivate () {
 # unset irrelevant variables
 deactivate nondestructive
 
-VIRTUAL_ENV='__VIRTUAL_ENV__'
+VIRTUAL_ENV=__VIRTUAL_ENV__
 if ([ "$OSTYPE" = "cygwin" ] || [ "$OSTYPE" = "msys" ]) && $(command -v cygpath &> /dev/null) ; then
     VIRTUAL_ENV=$(cygpath -u "$VIRTUAL_ENV")
 fi
 export VIRTUAL_ENV
 
 _OLD_VIRTUAL_PATH="$PATH"
-PATH="$VIRTUAL_ENV/__BIN_NAME__:$PATH"
+PATH="$VIRTUAL_ENV/"__BIN_NAME__":$PATH"
 export PATH
 
 # unset PYTHONHOME if set
@@ -62,10 +62,10 @@ fi
 
 if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT-}" ] ; then
     _OLD_VIRTUAL_PS1="${PS1-}"
-    if [ "x__VIRTUAL_PROMPT__" != x ] ; then
-        PS1="(__VIRTUAL_PROMPT__) ${PS1-}"
+    if [ "x"__VIRTUAL_PROMPT__ != x ] ; then
+        PS1=(__VIRTUAL_PROMPT__) ${PS1-}
     else
-        PS1="(`basename \"$VIRTUAL_ENV\"`) ${PS1-}"
+        PS1=(`basename \"$VIRTUAL_ENV\"`) ${PS1-}
     fi
     export PS1
 fi

src/virtualenv/activation/batch/__init__.py

@@ -17,6 +17,10 @@ def templates(self):
         yield Path("deactivate.bat")
         yield Path("pydoc.bat")
 
+    @staticmethod
+    def quote(string):
+        return string
+
     def instantiate_template(self, replacements, template, creator):
         # ensure the text has all newlines as \r\n - required by batch
         base = super(BatchActivator, self).instantiate_template(replacements, template, creator)

src/virtualenv/activation/cshell/activate.csh

@@ -10,15 +10,15 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA
 # Unset irrelevant variables.
 deactivate nondestructive
 
-setenv VIRTUAL_ENV '__VIRTUAL_ENV__'
+setenv VIRTUAL_ENV __VIRTUAL_ENV__
 
 set _OLD_VIRTUAL_PATH="$PATH:q"
-setenv PATH "$VIRTUAL_ENV:q/__BIN_NAME__:$PATH:q"
+setenv PATH "$VIRTUAL_ENV:q/"__BIN_NAME__":$PATH:q"
 
 
 
-if ('__VIRTUAL_PROMPT__' != "") then
-    set env_name = '(__VIRTUAL_PROMPT__) '
+if (__VIRTUAL_PROMPT__ != "") then
+    set env_name = (__VIRTUAL_PROMPT__) 
 else
     set env_name = '('"$VIRTUAL_ENV:t:q"') '
 endif

src/virtualenv/activation/fish/activate.fish

@@ -57,15 +57,15 @@ end
 # Unset irrelevant variables.
 deactivate nondestructive
 
-set -gx VIRTUAL_ENV '__VIRTUAL_ENV__'
+set -gx VIRTUAL_ENV __VIRTUAL_ENV__
 
 # https://github.com/fish-shell/fish-shell/issues/436 altered PATH handling
 if test (echo $FISH_VERSION | head -c 1) -lt 3
    set -gx _OLD_VIRTUAL_PATH (_bashify_path $PATH)
 else
     set -gx _OLD_VIRTUAL_PATH $PATH
 end
-set -gx PATH "$VIRTUAL_ENV"'/__BIN_NAME__' $PATH
+set -gx PATH "$VIRTUAL_ENV"'/'__BIN_NAME__ $PATH
 
 # Unset `$PYTHONHOME` if set.
 if set -q PYTHONHOME
@@ -87,8 +87,8 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
 
         # Prompt override provided?
         # If not, just prepend the environment name.
-        if test -n '__VIRTUAL_PROMPT__'
-            printf '(%s) ' '__VIRTUAL_PROMPT__'
+        if test -n __VIRTUAL_PROMPT__
+            printf '(%s) ' __VIRTUAL_PROMPT__
         else
             printf '(%s) ' (basename "$VIRTUAL_ENV")
         end

src/virtualenv/activation/nushell/__init__.py

@@ -13,6 +13,24 @@ def templates(self):
         yield Path("activate.nu")
         yield Path("deactivate.nu")
 
+    @staticmethod
+    def quote(string):
+        """
+        Nushell supports raw strings like: r###'this is a string'###.
+        This method finds the maximum continuous sharps in the string and then
+        quote it with an extra sharp.
+        """
+        max_sharps = 0
+        current_sharps = 0
+        for char in string:
+            if char == "#":
+                current_sharps += 1
+                max_sharps = max(current_sharps, max_sharps)
+            else:
+                current_sharps = 0
+        wrapping = "#" * (max_sharps + 1)
+        return f"r{wrapping}'{string}'{wrapping}"
+
     def replacements(self, creator, dest_folder):
         # Due to nushell scoping, it isn't easy to create a function that will
         # deactivate the environment. For that reason a __DEACTIVATE_PATH__

src/virtualenv/activation/nushell/activate.nu

@@ -9,8 +9,8 @@ def-env activate-virtualenv [] {
     }
 
     let is-windows = ((sys).host.name | str downcase) == 'windows'
-    let virtual-env = '__VIRTUAL_ENV__'
-    let bin = '__BIN_NAME__'
+    let virtual-env = __VIRTUAL_ENV__
+    let bin = __BIN_NAME__
     let path-sep = '__PATH_SEP__'
     let path-name = if $is-windows {
         if (has-env 'Path') {
@@ -43,10 +43,10 @@ def-env activate-virtualenv [] {
     let new-path = ($old-path | prepend $venv-path | str collect $path-sep)
 
     # Creating the new prompt for the session
-    let virtual-prompt = if ('__VIRTUAL_PROMPT__' == '') {
+    let virtual-prompt = if (__VIRTUAL_PROMPT__ == '') {
         $'(char lparen)($virtual-env | path basename)(char rparen) '
     } else {
-        '(__VIRTUAL_PROMPT__) '
+        (__VIRTUAL_PROMPT__)
     }
 
     # Back up the old prompt builder

src/virtualenv/activation/powershell/__init__.py

@@ -8,3 +8,14 @@
 class PowerShellActivator(ViaTemplateActivator):
     def templates(self):
         yield Path("activate.ps1")
+
+    @staticmethod
+    def quote(string):
+        """
+        This should satisfy PowerShell quoting rules [1], unless the quoted
+        string is passed directly to Windows native commands [2].
+        [1]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules
+        [2]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parsing#passing-arguments-that-contain-quote-characters
+        """  # noqa: D205
+        string = string.replace("'", "''")
+        return f"'{string}'"

src/virtualenv/activation/powershell/activate.ps1

@@ -35,14 +35,14 @@ $env:VIRTUAL_ENV = $VIRTUAL_ENV
 
 New-Variable -Scope global -Name _OLD_VIRTUAL_PATH -Value $env:PATH
 
-$env:PATH = "$env:VIRTUAL_ENV/__BIN_NAME____PATH_SEP__" + $env:PATH
+$env:PATH = "$env:VIRTUAL_ENV/" + __BIN_NAME____PATH_SEP__ + $env:PATH
 if (!$env:VIRTUAL_ENV_DISABLE_PROMPT) {
     function global:_old_virtual_prompt {
         ""
     }
     $function:_old_virtual_prompt = $function:prompt
 
-    if ("__VIRTUAL_PROMPT__" -ne "") {
+    if (__VIRTUAL_PROMPT__ -ne "") {
         function global:prompt {
             # Add the custom prefix to the existing prompt
             $previous_prompt_value = & $function:_old_virtual_prompt