Fix scan alert #151 by testing user-provided CMake arguments in setup.py
#1006
Conversation
[Code scanning alert quantumlib#151]( https://github.com/quantumlib/qsim/security/code-scanning/151) reports that the `subprocess.run()` invocation includes values (from `cmake_args`) that are user-provided and thus insecure. The only way that user-provided values could be snuck in is via the environment variable `CMAKE_ARGS`. This PR adds a simple test that all the values in that variable begin with a dash, on the premise that the values will all be flags to cmake. This is somewhat restrictive and might result in false positives, but it's a step towards improving the security.
This tests the argument-checking code additions to `setup.py`.
For running tests, we need setup.py to be there.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses a security vulnerability by validating user-provided CMake arguments from the CMAKE_ARGS environment variable. However, the current validation is still vulnerable to argument injection, as dangerous CMake flags like -P or -E can bypass the check. A more restrictive validation, such as only allowing definition flags (-D), is recommended to fully mitigate the CodeQL #151 alert. The inclusion of unit tests is a great addition, and further improvements to robustness and maintainability are suggested in the specific comments.
There was a problem hiding this comment.
I think it is better to dismiss the original alert and close this PR.
The setup.py is used only at installation and wheel-building time and is not accessible to user in a normal qsim operation.
Trying to sanitize possible CMAKE_ARGS values is probably a hopeless task. The attempts to do so make it harder to follow the code and are likely to introduce new bugs or interfere with legitimate cmake arguments.
| ) | ||
| except FileNotFoundError as e: | ||
| # This Dummy class emulates what subprocess.run() returns. | ||
| class Dummy: |
There was a problem hiding this comment.
As a general comment, term dummy is problematic and should be avoided in naming things, go/respectful-words.
There was a problem hiding this comment.
Oh yes, quite right. Thank you for pointing that out.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Yeah, it's probably true, or at least, the present approach is looking like a poor ROI. |
2 participants
Code scanning alert #151 reports that the
subprocess.run()invocation includes values (fromcmake_args) that are user-provided and thus insecure.The only way that user-provided values could be snuck in here is via the environment variable
CMAKE_ARGS. The types of CMake arguments that make sense in this context are flags, and all of those begin with a dash. As a (admittedly limited) form of protection against this vulnerability, this PR adds a test of the values from CMAKE_ARGS to verify they all begin with a dash character.This does restrict the form of the flags that can be passed in
CMAKE_ARGS. Technically, CMake understands two forms:-DCMAKE_CXX_STANDARD=17and-D CMAKE_CXX_STANDARD=17. The change in this PR means the flags always have to be of the first form, which seems to be a small inconvenience but not something that prevents any flags from being written.Included in this PR are some new unit tests.