From 7709a5d693fb762d271d8c9e6df98557a2d0cbe2 Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Fri, 23 Dec 2022 13:29:50 -0500 Subject: [PATCH 1/2] Update ipynb2md.py Fixed command injection bug where a user could payload the Jupyter notebook name or md filename with something like "notebook.ipynb&&cat /etc/shadow>/public_html/index.html". --- tools/ipynb2md.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tools/ipynb2md.py b/tools/ipynb2md.py index eba40432e4b9..d1a5b8454efd 100644 --- a/tools/ipynb2md.py +++ b/tools/ipynb2md.py @@ -31,6 +31,9 @@ import os import argparse import nbformat +import mslex +import shlex +import subprocess def remove_outputs(nb): @@ -68,7 +71,17 @@ def main(): clear_notebook(old_ipynb, new_ipynb) - os.system('jupyter nbconvert ' + new_ipynb + ' --to markdown --output ' + md_file) + + cmd = 'jupyter nbconvert' + new_ipynb, + '--to markdown' + '--output' + md_file + if os.name == 'posix': + escaped_cmd = shlex.quote(cmd) + subprocess.run(escaped_cmd) + elif os.name == 'nt': + escaped_cmd = mslex.quote(cmd) + subprocess.run(escaped_cmd) + else: + print("Could not determine operating system") + with open(md_file, 'a') as f: f.write('') os.system('rm ' + new_ipynb) From 2abf22daddd6ec73d2054eb713000287258338a4 Mon Sep 17 00:00:00 2001 From: Dan McInerney Date: Tue, 3 Jan 2023 18:17:09 -0500 Subject: [PATCH 2/2] Update ipynb2md.py --- tools/ipynb2md.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/ipynb2md.py b/tools/ipynb2md.py index d1a5b8454efd..7f963ad3bda4 100644 --- a/tools/ipynb2md.py +++ b/tools/ipynb2md.py @@ -80,7 +80,8 @@ def main(): escaped_cmd = mslex.quote(cmd) subprocess.run(escaped_cmd) else: - print("Could not determine operating system") + print("Could not determine operating system, exiting.") + return with open(md_file, 'a') as f: f.write('')