VYPR
← All advisories
High severityNVD Advisory· Published Aug 16, 2021· Updated Sep 16, 2024

Arbitrary Code Injection

CVE-2021-23422

Description

This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Processing untrusted source files in Bikeshed before 3.0.0 can lead to arbitrary OS command execution via Inline Tag Command metadata.

Vulnerability

This vulnerability affects the Python package bikeshed before version 3.0.0. The issue occurs when an untrusted source file containing Inline Tag Command (ITC) metadata is processed by Bikeshed. If an attacker can provide a malicious source file with crafted ITC metadata, arbitrary OS commands can be executed during processing. The command output is then included in the generated HTML output. [1]

Exploitation

An attacker must provide a malicious source file to a Bikeshed user or system that processes the file. No authentication is required if the processing is automated or the user opens a crafted file. The vulnerability is triggered when Bikeshed's retrieveBoilerplateFile function reads a local file specified in the ITC metadata, which can include commands. The fix in commit b2f668f [3] introduces an allowLocal parameter to prevent the use of local files from untrusted sources, and sets chroot=False for group boilerplate paths, restricting file access. [2][3]

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the system processing the Bikeshed source file. The command output is included in the resulting HTML, leading to information disclosure and potential further compromise. This can result in full system compromise depending on the privileges of the Bikeshed process. [1]

Mitigation

The fixed version is 3.0.0, released on 2021-04-30 (as per the PyPI advisory [4]). Users should upgrade to this version or later. There is no workaround; processing untrusted source files with earlier versions is risky. No EOL or KEV listing is noted. [1][4]

References
  1. NVD - CVE-2021-23422
  2. GitHub - speced/bikeshed: :bike: A preprocessor for anyone writing specifications that converts source files into actual specs.
  3. Prevent escaping the source doc's folder, or running arbitrary code, … · speced/bikeshed@b2f668f
  4. advisory-database/vulns/bikeshed/PYSEC-2021-116.yaml at main · pypa/advisory-database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bikeshedPyPI
< 3.0.03.0.0

Affected products

1

Patches

1
b2f668fca204

Prevent escaping the source doc's folder, or running arbitrary code, without explicit opt-in at the command-line.

https://github.com/tabatkins/bikeshedTab Atkins-BittnerAug 7, 2021via ghsa
commit
8 files changed · +60 17
  • bikeshed/cli.py+14 0 modified
    @@ -75,6 +75,18 @@ def main():
         choices=["nothing", "fatal", "link-error", "warning", "everything"],
         help="Determines what sorts of errors cause Bikeshed to die (quit immediately with an error status code). Default is 'fatal'; the -f flag is a shorthand for 'nothing'",
     )
+    argparser.add_argument(
+        "--allow-nonlocal-files",
+        dest="allowNonlocalFiles",
+        action="store_true",
+        help="Allows Bikeshed to see/include files from folders higher than the one your source document is in."
+    )
+    argparser.add_argument(
+        "--allow-execute",
+        dest="allowExecute",
+        action="store_true",
+        help="Allow some features to execute arbitrary code from outside the Bikeshed codebase."
+    )
 
     subparsers = argparser.add_subparsers(title="Subcommands", dest="subparserName")
 
@@ -444,6 +456,8 @@ def main():
             constants.printMode = "console"
     else:
         constants.printMode = options.printMode
+    constants.chroot = not options.allowNonlocalFiles
+    constants.executeCode = options.allowExecute
 
     update.fixupDataFiles()
     if options.subparserName == "update":
  • bikeshed/config/main.py+16 1 modified
    @@ -4,6 +4,9 @@
 
 import lxml
 
+from .. import constants
+from .. import messages
+
 
 def englishFromList(items, conjunction="or"):
     # Format a list of strings into an English list.
@@ -168,7 +171,19 @@ def flatten(arr):
 
 def scriptPath(*pathSegs):
     startPath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
-    return os.path.join(startPath, *pathSegs)
+    path = os.path.join(startPath, *pathSegs)
+    return path
+
+
+def chrootPath(chrootPath, path):
+    chrootPath = os.path.abspath(chrootPath)
+    path = os.path.abspath(path)
+    if not path.startswith(chrootPath):
+        messages.die(f"Attempted to access a file ({path}) outside the source document's directory ({chrootPath}). See --allow-nonlocal-files.")
+        raise Exception()
+    else:
+        return path
+
 
 
 def doEvery(s, action, lastTime=None):
  • bikeshed/config/retrieve.py+8 8 modified
    @@ -63,7 +63,7 @@ def _fail(self, location, str, okayToFail):
 )
 
 
-def retrieveBoilerplateFile(doc, name, group=None, status=None, error=True):
+def retrieveBoilerplateFile(doc, name, group=None, status=None, error=True, allowLocal=True):
     # Looks in three or four locations, in order:
     # the folder the spec source is in, the group's boilerplate folder, the megagroup's boilerplate folder, and the generic boilerplate folder.
     # In each location, it first looks for the file specialized on status, and then for the generic file.
@@ -77,7 +77,7 @@ def retrieveBoilerplateFile(doc, name, group=None, status=None, error=True):
             status = doc.md.rawStatus
     megaGroup, status = splitStatus(status)
 
-    searchLocally = doc.md.localBoilerplate[name]
+    searchLocally = allowLocal and doc.md.localBoilerplate[name]
 
     def boilerplatePath(*segs):
         return scriptPath("boilerplate", *segs)
@@ -101,13 +101,13 @@ def boilerplatePath(*segs):
                 # We should remove this after giving specs time to react to the warning:
                 sources.append(doc.inputSource.relative(f))
     if group:
-        sources.append(InputSource(boilerplatePath(group, statusFile)))
-        sources.append(InputSource(boilerplatePath(group, genericFile)))
+        sources.append(InputSource(boilerplatePath(group, statusFile), chroot=False))
+        sources.append(InputSource(boilerplatePath(group, genericFile), chroot=False))
     if megaGroup:
-        sources.append(InputSource(boilerplatePath(megaGroup, statusFile)))
-        sources.append(InputSource(boilerplatePath(megaGroup, genericFile)))
-    sources.append(InputSource(boilerplatePath(statusFile)))
-    sources.append(InputSource(boilerplatePath(genericFile)))
+        sources.append(InputSource(boilerplatePath(megaGroup, statusFile), chroot=False))
+        sources.append(InputSource(boilerplatePath(megaGroup, genericFile), chroot=False))
+    sources.append(InputSource(boilerplatePath(statusFile), chroot=False))
+    sources.append(InputSource(boilerplatePath(genericFile), chroot=False))
 
     # Watch all the possible sources, not just the one that got used, because if
     # an earlier one appears, we want to rebuild.
  • bikeshed/constants.py+2 0 modified
    @@ -9,6 +9,8 @@
 biblioDisplay = StringEnum("index", "inline")
 specClass = None
 testAnnotationURL = "https://test.csswg.org/harness/annotate.js"
+chroot = True
+executeCode = False
 
 
 def errorLevelAt(target):
  • bikeshed/extensions.py+2 1 modified
    @@ -1,8 +1,9 @@
 from . import config
+from . import constants
 from .h import *  # noqa: F401
 from .messages import *  # noqa: F401
 
 
 def load(doc):
-    code = config.retrieveBoilerplateFile(doc, "bs-extensions")
+    code = config.retrieveBoilerplateFile(doc, "bs-extensions", allowLocal=constants.executeCode)
     exec(code, globals())
  • bikeshed/inlineTags/__init__.py+4 0 modified
    @@ -1,11 +1,15 @@
 from subprocess import PIPE, Popen
 
+from .. import constants
 from ..h import *
 from ..messages import *
 
 
 def processTags(doc):
     for el in findAll("[data-span-tag]", doc):
+        if not constants.executeCode:
+            die("Found an inline code tag, but arbitrary code execution isn't allowed. See the --allow-execute flag.")
+            return
         tag = el.get("data-span-tag")
         if tag not in doc.md.inlineTagCommands:
             die("Unknown inline tag '{0}' found:\n  {1}", tag, outerHTML(el), el=el)
  • bikeshed/InputSource.py+13 6 modified
    @@ -13,6 +13,7 @@
 import requests
 import tenacity
 
+from . import config
 from .Line import Line
 
 
@@ -38,17 +39,17 @@ class InputSource:
     manager for temporarily switching to the directory of a file InputSource.
     """
 
-    def __new__(cls, sourceName: str):
+    def __new__(cls, sourceName: str, **kwargs):
         """Dispatches to the right subclass."""
         if cls != InputSource:
             # Only take control of calls to InputSource(...) itself.
             return super().__new__(cls)
 
         if sourceName == "-":
-            return StdinInputSource(sourceName)
+            return StdinInputSource(sourceName, **kwargs)
         if sourceName.startswith("https:"):
-            return UrlInputSource(sourceName)
-        return FileInputSource(sourceName)
+            return UrlInputSource(sourceName, **kwargs)
+        return FileInputSource(sourceName, **kwargs)
 
     @abstractmethod
     def __str__(self) -> str:
@@ -157,11 +158,17 @@ def relative(self, relativePath) -> UrlInputSource:
 
 
 class FileInputSource(InputSource):
-    def __init__(self, sourceName: str):
+    def __init__(self, sourceName: str, *, chroot: bool, chrootPath: Optional[str] = None):
         self.sourceName = sourceName
+        self.chrootPath = chrootPath
         self.type = "file"
         self.content = None
 
+        if chroot and self.chrootPath is None:
+            self.chrootPath = self.directory()
+        if self.chrootPath is not None:
+            self.sourceName = config.chrootPath(self.chrootPath, self.sourceName)
+
     def __str__(self) -> str:
         return self.sourceName
 
@@ -179,7 +186,7 @@ def directory(self) -> str:
         return os.path.dirname(os.path.abspath(self.sourceName))
 
     def relative(self, relativePath) -> FileInputSource:
-        return FileInputSource(os.path.join(self.directory(), relativePath))
+        return FileInputSource(os.path.join(self.directory(), relativePath), chroot=False, chrootPath=self.chrootPath)
 
     def cheaplyExists(self, relativePath) -> bool:
         return os.access(self.relative(relativePath).sourceName, os.R_OK)
  • bikeshed/Spec.py+1 1 modified
    @@ -58,7 +58,7 @@ def __init__(
                 "No input file specified, and no *.bs or *.src.html files found in current directory.\nPlease specify an input file, or use - to pipe from STDIN."
             )
             return
-        self.inputSource = InputSource(inputFilename)
+        self.inputSource = InputSource(inputFilename, chroot=constants.chroot)
         self.transitiveDependencies = set()
         self.debug = debug
         self.token = token

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.