Skip to content

validate variable names in copyToGlobals debug handler#1537

Open
sahvx655-wq wants to merge 1 commit into
ipython:mainfrom
sahvx655-wq:copytoglobals-validate-names
Open

validate variable names in copyToGlobals debug handler#1537
sahvx655-wq wants to merge 1 commit into
ipython:mainfrom
sahvx655-wq:copytoglobals-validate-names

Conversation

@sahvx655-wq

Copy link
Copy Markdown
Contributor

Expression injection via unvalidated variable names in copyToGlobals

While reading through the debug handlers I noticed copyToGlobals drops the client-supplied dstVariableName straight into globals()['{dst_var_name}'] and forwards that to setExpression, and hands srcVariableName over as the value expression, with neither of them checked. Its sibling richInspectVariables already runs str.isidentifier over the name it evaluates, so the omission here stood out. A name such as x'] or __import__('os').system('id') or globals()['y closes the quoted string and injects an arbitrary expression that debugpy then evaluates in the debuggee frame; the forwarded setExpression payload showed the escaped quotes plainly once I logged it.

Left as is this lets a malformed or hostile debug request steer evaluation well beyond a variable copy. The change rejects any dstVariableName/srcVariableName that is not a valid identifier before the expression is built, mirroring the guard the sibling handler already applies. Added a regression under the existing debugger tests that confirms such a request is refused locally rather than forwarded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants