Skip to content

fix: tighten package specifier validation in install_packages()#581

Merged
notgitika merged 1 commit into
mainfrom
fix/install-packages-input-validation
Jul 17, 2026
Merged

fix: tighten package specifier validation in install_packages()#581
notgitika merged 1 commit into
mainfrom
fix/install-packages-input-validation

Conversation

@notgitika

Copy link
Copy Markdown
Contributor

Summary

Tightens package specifier validation in install_packages():

  • Restricts the extras group in the package-name pattern to valid extra names (comma-separated identifiers) instead of allowing arbitrary characters.
  • Quotes each package argument with shlex.quote() when building the pip install command so each is passed as a single literal token.

Tests

  • Adds a test that extras groups with characters outside valid extra names are rejected.
  • Adds a test confirming valid extras (e.g. pandas[security], celery[redis,auth]) still work.
  • Updates the version-specifier test for the quoting change.

Restrict the extras group in the package-name pattern to valid extra
names instead of allowing arbitrary characters, and quote each package
argument with shlex.quote when building the pip command.

Adds tests for extras handling and argument quoting.
@notgitika
notgitika requested a review from a team July 17, 2026 18:10
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Breaking Change Warning

Found 1 potential breaking change(s) in this PR:

�[1msrc/bedrock_agentcore/tools/code_interpreter_client.py�[0m:27: VALID_PACKAGE_NAME: �[33mAttribute value was changed�[39m: re.compile('^a-zA-Z0-9?(\[.\])?(==|>=|<=|!=|~=|>|<)?[a-zA-Z0-9.]$') -> re.compile('^a-zA-Z0-9?(\[[a-zA-Z0-9._,\-]\])?(==|>=|<=|!=|~=|>|<)?[a-zA-Z0-9.]$')


Note: This is an automated static analysis check. Some flagged changes may be intentional.
Please confirm each item is expected and, if so, add a migration note to CHANGELOG.md.

@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 17, 2026
@notgitika

Copy link
Copy Markdown
Contributor Author

Breaking change expected. We changed the regex

@notgitika
notgitika merged commit 3c4b4ee into main Jul 17, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants