Skip to content

🔒 Fix security vulnerabilities in display_switch.py#15

Open
tstapler wants to merge 1 commit intomasterfrom
fix-display-switch-security-vulnerability-10610515049364856440
Open

🔒 Fix security vulnerabilities in display_switch.py#15
tstapler wants to merge 1 commit intomasterfrom
fix-display-switch-security-vulnerability-10610515049364856440

Conversation

@tstapler
Copy link
Owner

@tstapler tstapler commented Mar 5, 2026

This security fix addresses vulnerabilities in the display-switch utility. The primary issues were:

  1. Insecure Temporary File Creation: The state and log files were previously created at predictable paths in /tmp with insecure permissions, making them susceptible to symlink attacks and tampering by other users.
  2. Command Injection: Monitor names and other parameters from xrandr were not properly escaped before being written to a shell script, allowing for potential command injection.
  3. Insecure Execution: The state file was executed using shell=True, which is generally discouraged for security reasons.

Solution:

  • Secure Path Generation: Now uses user-prefixed filenames and prefers XDG_RUNTIME_DIR (typically /run/user/UID) which is private to the user.
  • Hardened File Creation: Uses os.O_EXCL and os.O_CREAT during os.open to ensure the file is created only if it doesn't exist, preventing symlink race conditions. Permissions are set to 0o600 (read/write only by owner).
  • Safe Command Construction: Uses shlex.join to correctly escape all command-line arguments, neutralizing potential injection attacks.
  • Defensive Execution: restore_state now performs ownership and permission checks before execution and calls /bin/bash directly without using a shell.

A new test file test_display_switch_security.py has been added to verify these security measures. All existing tests also pass.

PR created automatically by Jules for task 10610515049364856440 started by @tstapler

@google-labs-jules @tstapler
🔒 Fix insecure temporary file execution and command injection in disp…
fa85859 
…lay_switch.py

- Replaced hardcoded /tmp paths with secure, user-specific paths (prioritizing XDG_RUNTIME_DIR).
- Implemented secure file creation using os.open with os.O_EXCL and restrictive permissions (0o600) to prevent symlink attacks and unauthorized access.
- Used shlex.join for safe command construction to prevent command injection.
- Updated restore_state to verify file ownership and permissions before execution.
- Replaced shell=True in subprocess.run with explicit /bin/bash execution.
- Added a new security test suite to verify these improvements and prevent regressions.

Co-authored-by: tstapler <3860386+tstapler@users.noreply.github.com>
@google-labs-jules
Copy link
Contributor

google-labs-jules bot commented Mar 5, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@TylerStaplerAtFanatics TylerStaplerAtFanatics TylerStaplerAtFanatics approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tstapler @TylerStaplerAtFanatics