From 14c3e2768001f3e1dbf8a6f1a890cf75d6c96e30 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Sat, 18 Apr 2026 02:57:17 +0000 Subject: [PATCH] fix: use subprocess instead of os.system in googletest-filter-unittes... The test scripts propagate environment variables to child processes via environ --- googletest/test/googletest-filter-unittest.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/googletest/test/googletest-filter-unittest.py b/googletest/test/googletest-filter-unittest.py index a44882a6d..cc30f6620 100755 --- a/googletest/test/googletest-filter-unittest.py +++ b/googletest/test/googletest-filter-unittest.py @@ -63,7 +63,7 @@ if sys.executable: child = gtest_test_utils.Subprocess( [sys.executable, '-c', "import os; print('EMPTY_VAR' in os.environ)"] ) - CAN_PASS_EMPTY_ENV = eval(child.output) + CAN_PASS_EMPTY_ENV = ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_ast.literal_eval(child.output) # Check if this platform can unset environment variables in child processes. @@ -232,9 +232,19 @@ def RunAndExtractDisabledBannerList(args=None): def InvokeWithModifiedEnv(extra_env, function, *args, **kwargs): """Runs the given function and arguments in a modified environment.""" + # Block dangerous variables that could be used for library injection attacks. + _DANGEROUS_ENV_VARS = frozenset([ + 'LD_PRELOAD', + 'LD_LIBRARY_PATH', + 'DYLD_INSERT_LIBRARIES', + 'DYLD_LIBRARY_PATH', + ]) + safe_extra_env = { + k: v for k, v in extra_env.items() if k not in _DANGEROUS_ENV_VARS + } try: original_env = environ.copy() - environ.update(extra_env) + environ.update(safe_extra_env) return function(*args, **kwargs) finally: environ.clear()