mirror of
https://github.com/anthropics/claude-code-sdk-python.git
synced 2025-12-23 09:19:52 +00:00
ad08ac005e
Add strict validation to CLAUDE_CLI_VERSION environment variable to prevent command injection vulnerability during CLI download process. Security Issue: - Unsanitized environment variable was interpolated into PowerShell and Bash commands at lines 75 and 85 - Severity: MEDIUM - Category: command_injection Fix: - Added regex validation to only allow semantic versions (X.Y.Z) or "latest" - Pattern: ^([0-9]+\.[0-9]+\.[0-9]+|latest)$ - Raises ValueError for invalid input Testing: - Created comprehensive test suite (tests/test_download_cli.py) - Verified valid versions accepted (1.0.0, latest) - Verified malicious inputs rejected (injection attempts, invalid formats) - Full backward compatibility maintained Changes: - scripts/download_cli.py: Add validation in get_cli_version() - tests/test_download_cli.py: New test suite with 70+ test cases - SECURITY_FIX_SUMMARY.md: Documentation of vulnerability and fix |
||
|---|---|---|
| .. | ||
| build_wheel.py | ||
| download_cli.py | ||
| initial-setup.sh | ||
| pre-push | ||
| update_cli_version.py | ||
| update_version.py | ||