Skip to content

Fix Python code injection via hostname interpolation#142

Open
szachovy wants to merge 1 commit into
masterfrom
fix/86-hostname-injection
Open

Fix Python code injection via hostname interpolation#142
szachovy wants to merge 1 commit into
masterfrom
fix/86-hostname-injection

Conversation

@szachovy

@szachovy szachovy commented Apr 8, 2026

Copy link
Copy Markdown
Owner

Anchor hostname regex with ^ and $ to prevent partial matches. Use repr() for all values interpolated into Python source strings. Prevents string literal breakout via crafted hostnames.

Closes #86

Anchor hostname regex with ^ and $ to prevent partial matches. Use
repr() for all values interpolated into Python source strings passed
to run_python_container_command(). Prevents string literal breakout
via crafted hostnames or parameters.

Closes #86

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CV-2: Python code injection via hostname interpolation into remote exec strings

1 participant