fix: quote shell-special chars in Windows pip command to prevent CMD redirection

tagaws · tagaws · commit 489b5a3294c0 · 2026-04-16T20:44:51.000Z
diff --git a/python/rpdk/python/codegen.py b/python/rpdk/python/codegen.py
@@ -400,9 +400,15 @@ def _pip_build(cls, base_path):
         LOG.warning("Starting pip build.")
         try:
             # On windows run pip command through the default shell (CMD)
+            # Build a quoted string so CMD doesn't misinterpret '<' or '>'
+            # in version specifiers (e.g. 'setuptools<82') as redirection.
             if os.name == "nt":
+                cmd_str = " ".join(
+                    f'"{a}"' if any(c in a for c in ("<", ">", "&", "|")) else a
+                    for a in command
+                )
                 completed_proc = subprocess_run(  # nosec
-                    command,
+                    cmd_str,
                     stdout=PIPE,
                     stderr=PIPE,
                     cwd=base_path,
diff --git a/tests/plugin/codegen_test.py b/tests/plugin/codegen_test.py
@@ -540,6 +540,25 @@ def test__pip_build_called_process_error(tmp_path):
     assert isinstance(excinfo.value.__cause__, (FileNotFoundError, CalledProcessError))
 
 
+def test__pip_build_windows_quotes_version_specifiers(tmp_path):
+    """On Windows, args with '<' must be quoted so CMD doesn't treat them as redirection."""
+    command = ["pip", "install", "setuptools<82"]
+    patch_cmd = patch.object(
+        PythonLanguagePlugin, "_make_pip_command", return_value=command
+    )
+    patch_os = patch("rpdk.python.codegen.os.name", "nt")
+    patch_run = patch("rpdk.python.codegen.subprocess_run", autospec=True)
+
+    with patch_cmd, patch_os, patch_run as mock_run:
+        PythonLanguagePlugin._pip_build(tmp_path)
+
+    call_args = mock_run.call_args
+    cmd_arg = call_args[0][0]
+    assert isinstance(cmd_arg, str), "Windows branch must pass a string to subprocess_run"
+    assert "setuptools<82" in cmd_arg
+    assert call_args[1]["shell"] is True
+
+
 def test__build_pip(plugin):
     plugin._use_docker = False
     plugin._no_docker = True
@@ -592,7 +611,10 @@ def test__build_pip_windows(plugin):
         plugin._pip_build(temppath)
 
     mock_subproc.assert_called_once_with(
-        plugin._make_pip_command(temppath),
+        " ".join(
+            f'"{a}"' if any(c in a for c in ("<", ">", "&", "|")) else a
+            for a in plugin._make_pip_command(temppath)
+        ),
         stdout=ANY,
         stderr=ANY,
         cwd=temppath,
