Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[LOTP] Add mdformat #27

Open
fproulx-boostsecurity opened this issue Mar 28, 2024 · 1 comment
Open

[LOTP] Add mdformat #27

fproulx-boostsecurity opened this issue Mar 28, 2024 · 1 comment
Assignees
@Talgarr
Labels
idea invalid This doesn't seem right

Comments

@fproulx-boostsecurity
Copy link
Contributor

Description of the LOTP tool

mdformat is markdown formatting tool that can be configured we a config file.

Configuration files

.mdformat.toml

Documentation

https://mdformat.readthedocs.io/en/stable/users/configuration_file.html

Real-world example

Seen in the wild...
@fproulx-boostsecurity fproulx-boostsecurity added the good first issue Good for newcomers label Nov 19, 2024
@Talgarr Talgarr self-assigned this Feb 11, 2025
@Talgarr Talgarr added invalid This doesn't seem right and removed good first issue Good for newcomers labels Feb 11, 2025
@Talgarr
Copy link
Collaborator

Talgarr commented Feb 11, 2025

After some research:

  • The config file can be a symlink, but it is still loaded as a TOML file and the key and value are checked, so probably no way to Arbitrary Read.
  • We can modify an Abitrary file via a symlink, but the modification is from the parser which doesn't allow custom format rules.
  • The modules are loaded via importlib_metadata.entry_points(group="mdformat.parser_extension"), which only check the PATH for python module, which prevent the creation of a malicious package.

Not checked: the list of format extension here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Talgarr Talgarr

Labels
idea invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Talgarr @fproulx-boostsecurity