From b00bb906ccf36fbb6685906dcbec763d2dc3f992 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Wed, 20 May 2026 11:08:23 -0700 Subject: [PATCH 1/2] fix(security): potential command injection via sys.argv in setup. The setup.py file checks `'develop' not in sys.argv` to conditionally execute code. While this specific usage is not directly exploitable, the pattern of inspecting sys.argv for command strings is fragile. More critically, the pyct.build.examples() call and subsequent shutil.rmtree() operate on paths derived from __file__, which could be manipulated if an attacker controls the working directory or environment. The rmtree on example_path after setup() could delete unexpected directories if path resolution is tricked. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- setup.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/setup.py b/setup.py index da6830d27..12fe47630 100644 --- a/setup.py +++ b/setup.py @@ -7,9 +7,10 @@ if __name__ == '__main__': - example_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'xrspatial', 'examples') - if 'develop' not in sys.argv: + _package_dir = os.path.dirname(os.path.abspath(__file__)) + example_path = os.path.join(_package_dir, 'xrspatial', 'examples') + _is_develop = any(arg == 'develop' or arg.endswith('develop') for arg in sys.argv) + if not _is_develop: pyct.build.examples(example_path, __file__, force=True) use_scm = { @@ -19,4 +20,7 @@ setup(use_scm_version=use_scm) if os.path.isdir(example_path): - shutil.rmtree(example_path) + _real_example_path = os.path.realpath(example_path) + _real_package_dir = os.path.realpath(_package_dir) + if _real_example_path.startswith(_real_package_dir + os.sep): + shutil.rmtree(example_path) From a7a0281f801adc834e9d98dafcd19ef5177d6303 Mon Sep 17 00:00:00 2001 From: Brendan Collins Date: Wed, 20 May 2026 21:02:30 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 12fe47630..651481dee 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ if __name__ == '__main__': _package_dir = os.path.dirname(os.path.abspath(__file__)) example_path = os.path.join(_package_dir, 'xrspatial', 'examples') - _is_develop = any(arg == 'develop' or arg.endswith('develop') for arg in sys.argv) + _is_develop = len(sys.argv) > 1 and sys.argv[1] == 'develop' if not _is_develop: pyct.build.examples(example_path, __file__, force=True)