[Python] - Fix for security vulnerability GHSA-r9hx-vwmv-q579 for set…

…uptools-65.5.0 lib on python using python image (#815)

* [Python] - Fix for security vulnerability GHSA-r9hx-vwmv-q579 for setuptools-65.5.0 lib on python using python image

* [Python] - Added one more test

* [Python] - Fix for security vulnerability GHSA-r9hx-vwmv-q579 for setuptools-65.5.0 lib on python using python image

* [Python] - Added one more test

* Changes as suggested by comments

* removed second line (L465) that removed a non existent dirrectory

* bump patch version & change code to pass failing tests

src/python/devcontainer-feature.json

@@ -1,6 +1,6 @@
 {
   "id": "python",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "name": "Python",
   "documentationURL": "https://github.com/devcontainers/features/tree/main/src/python",
   "description": "Installs the provided version of Python, as well as PIPX, and other common Python utilities.  JupyterLab is conditionally installed with the python feature. Note: May require source code compilation.",

src/python/install.sh

@@ -454,6 +454,16 @@ if [[ "${INSTALL_PYTHON_TOOLS}" = "true" ]] && [[ $(python --version) != "" ]];
             echo "${util} already installed. Skipping."
         fi
     done
+
+    # Temporary: Removes “setup tools” metadata directory due to https://github.com/advisories/GHSA-r9hx-vwmv-q579
+
+    VULNERABLE_VERSIONS=("3.10" "3.11")
+    RUN_TIME_PY_VER_DETECT=$(python --version 2>&1)
+    PY_MAJOR_MINOR_VER=${RUN_TIME_PY_VER_DETECT:7:4};
+    if [[ ${VULNERABLE_VERSIONS[*]} =~ $PY_MAJOR_MINOR_VER ]]; then
+        rm -rf  ${PIPX_HOME}/shared/lib/"python${PY_MAJOR_MINOR_VER}"/site-packages/setuptools-65.5.0.dist-info
+    fi
+
     rm -rf /tmp/pip-tmp
 
     updaterc "export PIPX_HOME=\"${PIPX_HOME}\""

test/python/install_python310_setuptools_vulnerability.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+FAILED=()
+
+echoStderr()
+{
+    echo "$@" 1>&2
+}
+
+check-version-ge() {
+    LABEL=$1
+    CURRENT_VERSION=$2
+    REQUIRED_VERSION=$3
+    shift
+    echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
+    local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
+    if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
+        echo "✅  Passed!"
+        return 0
+    else
+        echoStderr "❌ $LABEL check failed."
+        FAILED+=("$LABEL")
+        return 1
+    fi
+}
+
+checkPythonPackageVersion()
+{
+    PACKAGE=$1
+    REQUIRED_VERSION=$2
+
+    current_version=$(python -c "import importlib.metadata; print(importlib.metadata.version('${PACKAGE}'))")
+    check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
+}
+
+checkPythonPackageVersion "setuptools" "65.5.1"
+
+# Check that tools can execute - make sure something didn't get messed up in this scenario
+check "autopep8" autopep8 --version
+check "black" black --version
+check "yapf" yapf --version
+check "bandit" bandit --version
+check "flake8" flake8 --version
+check "mypy" mypy --version
+check "pycodestyle" pycodestyle --version
+check "pydocstyle" pydocstyle --version
+check "pylint" pylint --version
+check "pytest" pytest --version
+check "setuptools" pip list | grep setuptools
+
+# Check paths in settings
+check "which autopep8" bash -c "which autopep8 | grep /usr/local/py-utils/bin/autopep8"
+check "which black" bash -c "which black | grep /usr/local/py-utils/bin/black"
+check "which yapf" bash -c "which yapf | grep /usr/local/py-utils/bin/yapf"
+check "which bandit" bash -c "which bandit | grep /usr/local/py-utils/bin/bandit"
+check "which flake8" bash -c "which flake8 | grep /usr/local/py-utils/bin/flake8"
+check "which mypy" bash -c "which mypy | grep /usr/local/py-utils/bin/mypy"
+check "which pycodestyle" bash -c "which pycodestyle | grep /usr/local/py-utils/bin/pycodestyle"
+check "which pydocstyle" bash -c "which pydocstyle | grep /usr/local/py-utils/bin/pydocstyle"
+check "which pylint" bash -c "which pylint | grep /usr/local/py-utils/bin/pylint"
+check "which pytest" bash -c "which pytest | grep /usr/local/py-utils/bin/pytest"
+
+checkVulnerableDir() 
+{
+    DIRECTORY=$1
+    VERSION=$2
+    
+    if [[ -d $DIRECTORY ]] ; then
+        echoStderr "❌ check for vulnerable setuptools version failed for python ${VERSION}."
+        return 1
+    else
+        echo "✅ Passed! Either the container does not have vulnerable version or vulnerable version specific directory got removed."
+        return 0
+    fi
+}
+
+bash -c "echo -e -n '\n'";
+bash -c "echo -e 'Files/Folders related to setuptools :-'"; 
+bash -c "find / -name \"*setuptools*\";" 
+
+# only for 3.10
+checkVulnerableDir "/usr/local/py-utils/shared/lib/python3.10/site-packages/setuptools-65.5.0.dist-info" "3.10"
+
+# Report result
+reportResults

test/python/install_python311_setuptools_vulnerability.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+FAILED=()
+
+echoStderr()
+{
+    echo "$@" 1>&2
+}
+
+check-version-ge() {
+    LABEL=$1
+    CURRENT_VERSION=$2
+    REQUIRED_VERSION=$3
+    shift
+    echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
+    local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
+    if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
+        echo "✅  Passed!"
+        return 0
+    else
+        echoStderr "❌ $LABEL check failed."
+        FAILED+=("$LABEL")
+        return 1
+    fi
+}
+
+checkPythonPackageVersion()
+{
+    PACKAGE=$1
+    REQUIRED_VERSION=$2
+
+    current_version=$(python -c "import importlib.metadata; print(importlib.metadata.version('${PACKAGE}'))")
+    check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
+}
+
+checkPythonPackageVersion "setuptools" "65.5.1"
+
+# Check that tools can execute - make sure something didn't get messed up in this scenario
+check "autopep8" autopep8 --version
+check "black" black --version
+check "yapf" yapf --version
+check "bandit" bandit --version
+check "flake8" flake8 --version
+check "mypy" mypy --version
+check "pycodestyle" pycodestyle --version
+check "pydocstyle" pydocstyle --version
+check "pylint" pylint --version
+check "pytest" pytest --version
+check "setuptools" pip list | grep setuptools
+
+# Check paths in settings
+check "which autopep8" bash -c "which autopep8 | grep /usr/local/py-utils/bin/autopep8"
+check "which black" bash -c "which black | grep /usr/local/py-utils/bin/black"
+check "which yapf" bash -c "which yapf | grep /usr/local/py-utils/bin/yapf"
+check "which bandit" bash -c "which bandit | grep /usr/local/py-utils/bin/bandit"
+check "which flake8" bash -c "which flake8 | grep /usr/local/py-utils/bin/flake8"
+check "which mypy" bash -c "which mypy | grep /usr/local/py-utils/bin/mypy"
+check "which pycodestyle" bash -c "which pycodestyle | grep /usr/local/py-utils/bin/pycodestyle"
+check "which pydocstyle" bash -c "which pydocstyle | grep /usr/local/py-utils/bin/pydocstyle"
+check "which pylint" bash -c "which pylint | grep /usr/local/py-utils/bin/pylint"
+check "which pytest" bash -c "which pytest | grep /usr/local/py-utils/bin/pytest"
+
+checkVulnerableDir() 
+{
+    DIRECTORY=$1
+    VERSION=$2
+    
+    if [[ -d $DIRECTORY ]] ; then
+        echoStderr "❌ check for vulnerable setuptools version failed for python ${VERSION}."
+        return 1
+    else
+        echo "✅ Passed! Either the container does not have vulnerable version or vulnerable version specific directory got removed."
+        return 0
+    fi
+}
+
+bash -c "echo -e -n '\n'";
+bash -c "echo -e 'Files/Folders related to setuptools :-'"; 
+bash -c "find / -name \"*setuptools*\";" 
+
+# only for 3.11
+checkVulnerableDir "/usr/local/py-utils/shared/lib/python3.11/site-packages/setuptools-65.5.0.dist-info" "3.11"
+
+# Report result
+reportResults

test/python/scenarios.json

@@ -1,4 +1,22 @@
 {
+    "install_python310_setuptools_vulnerability": {
+        "image": "python:3.10",
+        "features": {
+            "python": {
+                "version": "none",
+                "installTools": true
+            }
+        }
+    },
+    "install_python311_setuptools_vulnerability": {
+        "image": "python:3.11",
+        "features": {
+            "python": {
+                "version": "none",
+                "installTools": true
+            }
+        }
+    },
     "install_additional_python": {
         "image": "ubuntu:focal",
         "features": {