PyPI - chorut - Versions diffs - 0.1.4__tar.gz → 0.1.5__tar.gz - Mend

chorut 0.1.4tar.gz → 0.1.5tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

{chorut-0.1.4 → chorut-0.1.5}/PKG-INFO +29 -6
{chorut-0.1.4 → chorut-0.1.5}/README.md +28 -5
{chorut-0.1.4 → chorut-0.1.5}/chorut/__init__.py +20 -16
{chorut-0.1.4 → chorut-0.1.5}/pyproject.toml +1 -1
{chorut-0.1.4 → chorut-0.1.5}/.gitignore +0 -0
{chorut-0.1.4 → chorut-0.1.5}/LICENSE +0 -0
{chorut-0.1.4 → chorut-0.1.5}/chorut/__main__.py +0 -0

{chorut-0.1.4 → chorut-0.1.5}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: chorut
-Version: 0.1.4
+Version: 0.1.5
 Summary: Python implementation of an enhanced chroot functionality with minimal dependencies
 Project-URL: Homepage, https://github.com/abuss/chorut
 Project-URL: Repository, https://github.com/abuss/chorut.git
@@ -293,7 +293,7 @@ Returns a `subprocess.CompletedProcess` object with:
 ##### execute() Examples
 ```python
-# List command
+# List command (recommended for security)
 result = chroot.execute(['ls', '-la'])
 # String command
@@ -303,17 +303,40 @@ result = chroot.execute('ls -la')
 result = chroot.execute('cat /etc/hostname', capture_output=True)
 hostname = result.stdout.strip()
-# Shell features require explicit bash
-result = chroot.execute("bash -c 'ls | wc -l'", capture_output=True)
-line_count = int(result.stdout.strip())
+# Shell features work automatically with auto_shell=True (default)
+result = chroot.execute('ls | wc -l', capture_output=True)  # Pipes work!
+result = chroot.execute('echo hello && echo world')  # Logical operators
+result = chroot.execute('ls *.txt')  # Glob patterns
+# List commands with special characters are handled safely
+result = chroot.execute(['echo', 'hello world', 'foo;bar'])
 # Interactive shell (command=None)
 chroot.execute()  # Starts bash shell
 ```
+### Command List Validation
+When using list-based commands, all arguments are validated:
+```python
+# Valid - all arguments are strings
+result = chroot.execute(['echo', 'hello', 'world'])
+# Raises ChrootError - non-string arguments
+result = chroot.execute(['echo', 123])  # Error: All command arguments must be strings
+# Raises ChrootError - empty list
+result = chroot.execute([])  # Error: Command list cannot be empty
+```
+### Security
+All user-provided values (mount sources, targets, command arguments) are properly escaped using `shlex.quote()` to prevent command injection attacks. List-based commands are recommended over string commands when handling untrusted input.
 ### Exceptions
-- `ChrootError`: Raised for chroot-related errors
+- `ChrootError`: Raised for chroot-related errors, invalid command arguments, or empty command lists
 - `MountError`: Raised for mount-related errors
 ## Requirements

{chorut-0.1.4 → chorut-0.1.5}/README.md RENAMED Viewed

@@ -260,7 +260,7 @@ Returns a `subprocess.CompletedProcess` object with:
 ##### execute() Examples
 ```python
-# List command
+# List command (recommended for security)
 result = chroot.execute(['ls', '-la'])
 # String command
@@ -270,17 +270,40 @@ result = chroot.execute('ls -la')
 result = chroot.execute('cat /etc/hostname', capture_output=True)
 hostname = result.stdout.strip()
-# Shell features require explicit bash
-result = chroot.execute("bash -c 'ls | wc -l'", capture_output=True)
-line_count = int(result.stdout.strip())
+# Shell features work automatically with auto_shell=True (default)
+result = chroot.execute('ls | wc -l', capture_output=True)  # Pipes work!
+result = chroot.execute('echo hello && echo world')  # Logical operators
+result = chroot.execute('ls *.txt')  # Glob patterns
+# List commands with special characters are handled safely
+result = chroot.execute(['echo', 'hello world', 'foo;bar'])
 # Interactive shell (command=None)
 chroot.execute()  # Starts bash shell
 ```
+### Command List Validation
+When using list-based commands, all arguments are validated:
+```python
+# Valid - all arguments are strings
+result = chroot.execute(['echo', 'hello', 'world'])
+# Raises ChrootError - non-string arguments
+result = chroot.execute(['echo', 123])  # Error: All command arguments must be strings
+# Raises ChrootError - empty list
+result = chroot.execute([])  # Error: Command list cannot be empty
+```
+### Security
+All user-provided values (mount sources, targets, command arguments) are properly escaped using `shlex.quote()` to prevent command injection attacks. List-based commands are recommended over string commands when handling untrusted input.
 ### Exceptions
-- `ChrootError`: Raised for chroot-related errors
+- `ChrootError`: Raised for chroot-related errors, invalid command arguments, or empty command lists
 - `MountError`: Raised for mount-related errors
 ## Requirements

{chorut-0.1.4 → chorut-0.1.5}/chorut/__init__.py RENAMED Viewed

@@ -8,6 +8,8 @@ using only Python standard library modules.
 import contextlib
 import logging
 import os
+import re
+import shlex
 import subprocess
 import sys
 from pathlib import Path
@@ -279,8 +281,6 @@ class ChrootManager:
         Returns True if the command contains shell features like pipes, redirects,
         command substitution, logical operators, etc.
         """
-        import re
         # Shell metacharacters that require shell interpretation
         shell_patterns = [
             r"\|",  # Pipes: cmd1 | cmd2
@@ -505,10 +505,10 @@ class ChrootManager:
             mkdir = mount_spec.get("mkdir", True)
             if verbose:
-                script_lines.append(f"echo 'Mounting {source} -> {target_rel}'")
+                script_lines.append(f"echo 'Mounting {shlex.quote(source)} -> {shlex.quote(target_rel)}'")
             if mkdir:
-                script_lines.append(f"mkdir -p '{target_rel}'")
+                script_lines.append(f"mkdir -p {shlex.quote(target_rel)}")
             mount_cmd = ["mount"]
             if bind:
@@ -517,9 +517,9 @@ class ChrootManager:
                 mount_cmd.extend(["-t", fstype])
             if options:
-                mount_cmd.extend(["-o", options])
+                mount_cmd.extend(["-o", shlex.quote(options)])
-            mount_cmd.extend([f"'{source}'", f"'{target_rel}'"])
+            mount_cmd.extend([shlex.quote(source), shlex.quote(target_rel)])
             script_lines.append(" ".join(mount_cmd))
         script_lines.extend(
@@ -535,9 +535,9 @@ class ChrootManager:
         chroot_cmd = ["chroot"]
         if userspec:
-            chroot_cmd.extend(["--userspec", userspec])
+            chroot_cmd.extend(["--userspec", shlex.quote(userspec)])
         chroot_cmd.append(".")
-        chroot_cmd.extend(f"'{arg}'" for arg in command)
+        chroot_cmd.extend(shlex.quote(arg) for arg in command)
         script_lines.append(" ".join(chroot_cmd))
@@ -600,14 +600,18 @@ class ChrootManager:
         if command is None:
             command = ["/bin/bash"]
         elif isinstance(command, str):
-            import shlex
             # Auto-detect shell features and wrap with bash -c if needed
             if self.auto_shell and self._needs_shell(command):
                 logger.debug(f"Auto-detected shell features in command: {command}")
                 command = ["bash", "-c", command]
             else:
                 command = shlex.split(command)
+        elif isinstance(command, list):
+            # Validate that all elements in the list are strings
+            if not all(isinstance(arg, str) for arg in command):
+                raise ChrootError("All command arguments must be strings")
+            if len(command) == 0:
+                raise ChrootError("Command list cannot be empty")
         if self.unshare_mode:
             # For unshare mode, create a script and run it in unshared namespace
@@ -617,18 +621,18 @@ class ChrootManager:
             # Write script to a temporary file
             import tempfile
-            with tempfile.NamedTemporaryFile(mode="w", suffix=".sh", delete=False) as f:
-                f.write(script_content)
-                script_path = f.name
+            fd, script_path = tempfile.mkstemp(suffix=".sh", text=True)
+            try:
+                os.write(fd, script_content.encode())
+            finally:
+                os.close(fd)
+            os.chmod(script_path, 0o700)
             logger.debug("Unshare script written to: %s", script_path)
             if logger.isEnabledFor(logging.DEBUG):
                 logger.debug("Script content:\n%s", script_content)
             try:
-                # Make script executable
-                os.chmod(script_path, 0o755)
                 # Run the script in unshared namespace
                 unshare_cmd = ["unshare", "--fork", "--pid", "--mount", "--map-auto", "--map-root-user", script_path]

{chorut-0.1.4 → chorut-0.1.5}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "chorut"
-version = "0.1.4"
+version = "0.1.5"
 description = "Python implementation of an enhanced chroot functionality with minimal dependencies"
 readme = "README.md"
 license = {text = "MIT"}

{chorut-0.1.4 → chorut-0.1.5}/.gitignore RENAMED Viewed

File without changes

{chorut-0.1.4 → chorut-0.1.5}/LICENSE RENAMED Viewed

File without changes

{chorut-0.1.4 → chorut-0.1.5}/chorut/__main__.py RENAMED Viewed

File without changes

chorut 0.1.4__tar.gz → 0.1.5__tar.gz

chorut 0.1.4tar.gz → 0.1.5tar.gz