Skip to content

[Core] Prioritize extension's modle path#24252

Closed
taoyama wants to merge 1 commit intoAzure:devfrom
taoyama:dev
Closed

[Core] Prioritize extension's modle path#24252
taoyama wants to merge 1 commit intoAzure:devfrom
taoyama:dev

Conversation

@taoyama
Copy link
Contributor

@taoyama taoyama commented Oct 18, 2022

Related command
az interactive

Description
With current implementation, module path for extension is appended by sys.append(). Some module like interactive need old module so we need to prioritize to import modules under extension's directory instead of default directory. This patch will fix problem like #24213

Testing Guide
az interactive

This checklist is used to make sure that common guidelines for a pull request are followed.

@taoyama
Prioritize extension's modle path
8c7c4df 
With current implementation, module path for extension is appended by sys.append().
Some module like interactive need old module so we need to prioritize to import modules under extension's directory instead of default directory.
This patch will fix problem like Azure#24213
@ghost ghost added Auto-Assign Auto assign by bot Core CLI core infrastructure labels Oct 18, 2022
@ghost ghost requested review from jiasli and yonzhan October 18, 2022 15:50
@ghost ghost assigned jiasli Oct 18, 2022
@ghost ghost added this to the Oct 2022 (2022-11-01) milestone Oct 18, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Oct 18, 2022

interactive

@yonzhan yonzhan requested a review from bebound October 18, 2022 23:07
@jiasli
Copy link
Member

jiasli commented Oct 19, 2022
edited
Loading

Thanks for the contribution. However, this change was previously proposed by #12778 but was rejected due to security concerns.

Allowing extensions to override packages from main Azure CLI's env may break Azure CLI itself. For example, for #24213, preferring prompt_toolkit from az interactive will break az spring-cloud which depends on prompt_toolkit 3.0.31.

This may cause a security breach - a malicious extension can inject tampered packages to override main Azure CLI's behavior. It can intercept access tokens, manipulate HTTP requests, etc.

@taoyama
Copy link
Contributor Author

taoyama commented Oct 19, 2022

@jiasli
Thank you for your reply.
I understand your point but why would we allow loading modules for extension, in the first place?
I think that is the biggest security concern here...isn't it?

@taoyama taoyama closed this Oct 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@jiasli jiasli Awaiting requested review from jiasli

@yonzhan yonzhan Awaiting requested review from yonzhan

@bebound bebound Awaiting requested review from bebound

Assignees

@jiasli jiasli

Labels

Auto-Assign Auto assign by bot Core CLI core infrastructure

Projects

None yet

Milestone

Oct 2022 (2022-11-01)

Development

Successfully merging this pull request may close these issues.

3 participants

@taoyama @yonzhan @jiasli