-
-
Notifications
You must be signed in to change notification settings - Fork 34.7k
Add security warning to mailbox docs
#149295
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
StanFromIreland
wants to merge
1
commit into
python:main
Choose a base branch
from
StanFromIreland:mailbox-security
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+5
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, you could probably add a variation on this warning to every module in the stdlib that operates on files, so at the moment I'm not convinced. I haven't read over the security issues, though, so we'll see. I don't think the message as is is all that useful, though. I certainly don't know what it is trying to tell me.
I suggest we hold on this for a bit for further discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message is passively trying to say: We will not treat these problems in
mailboxas security issues because it is nobody's priority to attempt to maintainmailboxfor such purposes.We could just say that instead.
Realistically: Why do we even have this module in the stdlib at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly! Hmm, we imply the same for various other modules and APIs but generally use the fancy wording.
I think the AA batteries we included have expanded to D batteries. ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fwiw
mailboxis a leaf node module (nothing else in the stdlib depends on it AFAICT) so while I wouldn't actually go so far as to say something as snarky as my "isn't a priority" in the docs, wording like your proposal laying out security expectations is good to have.for this specific module, given the reports we've been receiving on PSRT maybe we could be more specific and offer some advice to users. The security reports that we're not considering serious have been around the mailbox files/directory-trees being on attacker controlled file systems. Not about the contents of an individual email stored within. "externally modified data" in your phrasing is maybe a bit vague and could imply message contents are involved?
on the slippery slops docs warning topic: We have a general theme of these messages being spread out throughout our docs near the APIs they apply to. Messaging like this is intended to meet the user where they're at when looking up how to use something.
Our other security what is and isn't an issue docs like the devguide and security.md can also point to things in a more "do or do not report x/y/z" manner for specific packages.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh indeed. It really should have been a PyPI module, if only it had existed at the time.
Maybe:
Or something like:
In this case, the warning applies to the entire module, so I think putting warnings under each API would be too duplicative.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe? though that also seems verbose. (that's from me going back and forth with Claude a few times given our desire to clarify the reports at hand and wanting to make the advice somewhat actionable)
We might accept PRs helping flag some such inputs via ValueError's in the future but the important thing is we're not claiming to be comprehensive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is certainly more detailed, although “As such, the following are not treated as security vulnerabilities:” feels too specific. I think the docs should explicitly state the general (lack of a) support boundary.
Also, I think we should avoid suggestions like "at a minimum, reject any value containing
"..","/","\", or":"." It is not a complete cross-platform path-safety rule and could become misleading.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, agreed. even listing the characters to avoid screams "so why isn't that a ValueError already?"... the reason likely being nobody proactively maintains the module. and avoiding characters instead of specifying what is allowed is backwards... MH is integer keyed message ids by definition for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seeing the complications adding suggestions introduces, WDYT about this? Based on usage on GitHub (which overall is tiny!), almost all users are using the module for small little local scripts, and won't care about such considerations anyhow.