From d535301e1fe982abb9b5b16258fa6627d8ee4bc8 Mon Sep 17 00:00:00 2001 From: Milo Minderbinder Date: Wed, 5 Jan 2022 19:42:25 -0500 Subject: [PATCH] disallow abbreviated forms of full option names Previously, due to default behavior of ArgumentParser, global --index-url, --extra-index-url, and --trusted-host options in requirements files could be abbreviated (e.g. "--index" == "--index-url"). As a result, unexpected behavior could occur during processing of a requirements file with these shortened option names when using Pipenv, which could be exploited by a malicious actor to surreptitiously insert pip options using non-obvious abbreviations. For example, adding a line with "--t example.com" to the requirements file would cause Pipenv to treat example.com as trusted, even when example.com presents an invalid TLS certificate. This commit disables support for abbreviated options in the ArgumentParser, to align Pipenv's behavior when parsing global options in a requirements file with the behavior in pip, as expected. --- pipenv/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipenv/utils.py b/pipenv/utils.py index cb2cecd1d0..f311e1e48c 100644 --- a/pipenv/utils.py +++ b/pipenv/utils.py @@ -2053,7 +2053,7 @@ def parse_indexes(line, strict=False): comment_re = re.compile(r"(?:^|\s+)#.*$") line = comment_re.sub("", line) - parser = ArgumentParser("indexes") + parser = ArgumentParser("indexes", allow_abbrev=False) parser.add_argument("-i", "--index-url", dest="index") parser.add_argument("--extra-index-url", dest="extra_index") parser.add_argument("--trusted-host", dest="trusted_host")