fix: .pth false positives on known-safe Python ecosystem files#41
Merged
fix: .pth false positives on known-safe Python ecosystem files#41
Conversation
_virtualenv.pth, distutils-precedence.pth, setuptools.pth, coverage.pth, easy-install.pth, and zope-nspkg.pth are legitimate ecosystem files that use import statements for site customization. - aguara check: allowlist skips known-safe filenames before scanning - SC-EX-004: removed bare "import" pattern, added "import X; Y" pattern for compound statements. Exclude patterns for known-safe imports. - SC-EX-010: exclude patterns for known-safe imports Fixes false positives reported on _virtualenv.pth in uv cache.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
aguara checkflags_virtualenv.pthas CRITICAL because it containsimport _virtualenv. This is a legitimate file installed by virtualenv in every Python environment. Users runningaguara checkget dozens of false positive CRITICAL findings from their uv cache.Fix
Allowlist of known-safe .pth filenames that use import statements for legitimate site customization:
_virtualenv.pth(virtualenv activation)distutils-precedence.pth(setuptools distutils override)easy-install.pth(legacy easy_install)setuptools.pth(setuptools shim)coverage.pth(coverage.py startup)zope-nspkg.pth(zope namespace packages)Changes
checker.goskips known-safe filenames before scanning^import\spattern (too broad), replaced withimport\s+\w+\s*;\s*\wfor compound statements. Added exclude patterns for known-safe imports.Malicious .pth files (with subprocess, exec, eval, etc.) are still detected as CRITICAL.
Test plan
TestCheckSkipsKnownSafePth- known-safe skipped, evil.pth still flaggedimport _virtualenvexcluded)