From 7709a5d693fb762d271d8c9e6df98557a2d0cbe2 Mon Sep 17 00:00:00 2001
From: Dan McInerney <dan.h.mcinerney@gmail.com>
Date: Fri, 23 Dec 2022 13:29:50 -0500
Subject: [PATCH 1/2] Update ipynb2md.py
Fixed command injection bug where a user could payload the Jupyter notebook name or md filename with something like "notebook.ipynb&&cat /etc/shadow>/public_html/index.html".
---
tools/ipynb2md.py | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/tools/ipynb2md.py b/tools/ipynb2md.py
index eba40432e4b9..d1a5b8454efd 100644
--- a/tools/ipynb2md.py
+++ b/tools/ipynb2md.py
@@ -31,6 +31,9 @@
import os
import argparse
import nbformat
+import mslex
+import shlex
+import subprocess
def remove_outputs(nb):
@@ -68,7 +71,17 @@ def main():
clear_notebook(old_ipynb, new_ipynb)
- os.system('jupyter nbconvert ' + new_ipynb + ' --to markdown --output ' + md_file)
+
+ cmd = 'jupyter nbconvert' + new_ipynb, + '--to markdown' + '--output' + md_file
+ if os.name == 'posix':
+ escaped_cmd = shlex.quote(cmd)
+ subprocess.run(escaped_cmd)
+ elif os.name == 'nt':
+ escaped_cmd = mslex.quote(cmd)
+ subprocess.run(escaped_cmd)
+ else:
+ print("Could not determine operating system")
+
with open(md_file, 'a') as f:
f.write('<!-- INSERT SOURCE DOWNLOAD BUTTONS -->')
os.system('rm ' + new_ipynb)
From 2abf22daddd6ec73d2054eb713000287258338a4 Mon Sep 17 00:00:00 2001
From: Dan McInerney <dan.h.mcinerney@gmail.com>
Date: Tue, 3 Jan 2023 18:17:09 -0500
Subject: [PATCH 2/2] Update ipynb2md.py
---
tools/ipynb2md.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/ipynb2md.py b/tools/ipynb2md.py
index d1a5b8454efd..7f963ad3bda4 100644
--- a/tools/ipynb2md.py
+++ b/tools/ipynb2md.py
@@ -80,7 +80,8 @@ def main():
escaped_cmd = mslex.quote(cmd)
subprocess.run(escaped_cmd)
else:
- print("Could not determine operating system")
+ print("Could not determine operating system, exiting.")
+ return
with open(md_file, 'a') as f:
f.write('<!-- INSERT SOURCE DOWNLOAD BUTTONS -->')