mirror of
https://github.com/anthropics/claude-code-sdk-python.git
synced 2025-12-23 09:19:52 +00:00
ad08ac005e
Add strict validation to CLAUDE_CLI_VERSION environment variable to prevent command injection vulnerability during CLI download process. Security Issue: - Unsanitized environment variable was interpolated into PowerShell and Bash commands at lines 75 and 85 - Severity: MEDIUM - Category: command_injection Fix: - Added regex validation to only allow semantic versions (X.Y.Z) or "latest" - Pattern: ^([0-9]+\.[0-9]+\.[0-9]+|latest)$ - Raises ValueError for invalid input Testing: - Created comprehensive test suite (tests/test_download_cli.py) - Verified valid versions accepted (1.0.0, latest) - Verified malicious inputs rejected (injection attempts, invalid formats) - Full backward compatibility maintained Changes: - scripts/download_cli.py: Add validation in get_cli_version() - tests/test_download_cli.py: New test suite with 70+ test cases - SECURITY_FIX_SUMMARY.md: Documentation of vulnerability and fix |
||
|---|---|---|
| .. | ||
| conftest.py | ||
| test_changelog.py | ||
| test_client.py | ||
| test_download_cli.py | ||
| test_errors.py | ||
| test_integration.py | ||
| test_message_parser.py | ||
| test_sdk_mcp_integration.py | ||
| test_streaming_client.py | ||
| test_subprocess_buffering.py | ||
| test_tool_callbacks.py | ||
| test_transport.py | ||
| test_types.py | ||