Black Python Code Formatter Arbitrary File Write Vulnerability

A vulnerability in the Black Python code formatter prior to version 26.3.1 allows for arbitrary file writes. The issue arises because the formatter generates cache file names based on various formatting options, including the `--python-cell-magics` option. This value was incorporated into the filename without proper sanitization, enabling an attacker to manipulate the argument and write cache files to unintended locations on the file system.

Impact

Exploitation of this vulnerability could lead to unauthorized writing of files to arbitrary locations on the file system, potentially overwriting important files or causing other disruptions.

Reproduction

The vulnerability can be reproduced by using Black with a crafted `--python-cell-magics` option that includes unsanitized file path components. This will cause Black to write a cache file to the specified location, demonstrating the arbitrary file write capability.

Remediation

Users should update to Black version 26.3.1, which hashes the components derived from `--python-cell-magics` to prevent custom magic names from affecting cache file paths. Instructions for downloading Black 26.3.1 are available on the Black GitHub releases page.