Rule request
Description
When you put a parenthesis opening character ( inside a test id and you execute that test via command line directly without wrapping it by single quotes it leads a subshell execution in unix-like shells.
This typically raises a syntax error and the command is not executed. But if you put a dollar sign character $ before the opening parenthesis, it always leads to a real subshell execution and replacing, which could be a serious security problem.
$ pytest test.py::my_test[foo(echo malicious)]
bash: syntax error near unexpected element '('
$ pytest test.py::my_test[foo$(echo malicious)]
=== test session starts ===
...
collected 0 items
=== no tests ran in 0.00s ===
ERROR: file or directory not found: test.py::my_test[foomalicious]
$ pytest 'test.py::my_test[foo$(echo malicious)]'
=== test session starts ===
...
collected 0 items
=== no tests ran in 0.00s ===
ERROR: file or directory not found: test.py::my_test[foo$(echo malicious)]
Rationale
Commonly, you are executing certain tests changing between them and you forget to wrap test identificators by single quotes.
Rule request
Description
When you put a parenthesis opening character
(inside a test id and you execute that test via command line directly without wrapping it by single quotes it leads a subshell execution in unix-like shells.This typically raises a syntax error and the command is not executed. But if you put a dollar sign character
$before the opening parenthesis, it always leads to a real subshell execution and replacing, which could be a serious security problem.Rationale
Commonly, you are executing certain tests changing between them and you forget to wrap test identificators by single quotes.