Please comment on CVE-2024-53899 and virtualenv activation scripts

[musicinmybrain]

Yesterday, CVE-2024-53899 was published, with the following description:

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing.

This corresponds to pypa/virtualenv#2768 and is supposed to be fixed by pypa/virtualenv#2771.

Because uv vendors virtualenv activation scripts in crates/uv-virtualenv/src/activator/, I wondered if uv was also affected. Imitating the original reproducer in pypa/virtualenv#2768, and working with a uv checkout on the 0.5.4 tag:

$ cargo build
$ envname="';uname -a;':"
$ mkdir "$envname"
$ cd "$envname"
$ ../target/debug/uv venv .
$ . ./bin/activate
(';uname -a;':) ben@musicbox:~/src/forks/uv/';uname -a;':$

This is good; the uname -a command was not executed, so this test did not reproduce the problem.

Checking older versions, it looks like this was fixed between uv 0.5.2 and 0.5.3, probably in #8984 (although I did not bother bisecting). To reiterate this very clearly, I was not able to trivially reproduce CVE-2024-53899 in uv 0.5.3 and later, but I was able to reproduce it (output from uname -a appeared in my console) in uv 0.5.2 and earlier.

Could you please comment on whether you believe the underlying issue is entirely mitigated in uv, or whether further work needs to be done? Thank you!

[charliermarsh]

Thanks for filing! We'll take a look.