From: Ihor Radchenko <yantar92@posteo.net>
To: Max Nikulin <manikulin@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Date: Mon, 21 Aug 2023 07:04:17 +0000 [thread overview]
Message-ID: <87h6os6fm6.fsf@localhost> (raw)
In-Reply-To: <ubpllb$c7n$1@ciao.gmane.io>
[-- Attachment #1: Type: text/plain, Size: 576 bytes --]
Max Nikulin <manikulin@gmail.com> writes:
>> Do you have any ideas how to work around the deliberately constructed
>> header argument values like in your example?
>
> Perhaps `gensym' may be used to create a symbol that can not appear in a
> document. I am unsure if the following `pcase' variant may be improved
> ...
> ;; or ob-shell-argument-literal-symbol
> (defconst ob-literal-symbol (gensym "literal"))
Good idea.
I am attaching tentative fix that uses the proposed approach.
Not yet merging - need to go through other babel backends and make them
use the new API.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-org-macs-New-common-API-function-to-quote-shell-argu.patch --]
[-- Type: text/x-patch, Size: 2241 bytes --]
From dfc03c0330b96ff4fbe14df39ba895427b8fd004 Mon Sep 17 00:00:00 2001
Message-ID: <dfc03c0330b96ff4fbe14df39ba895427b8fd004.1692601432.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:57:50 +0300
Subject: [PATCH 1/2] org-macs: New common API function to quote shell
arguments
* lisp/org-macs.el (org-shell-arg-literal): New auxiliary constant.
(org-make-shell-command): New function that returns shell command
built from individual shell arguments, escaping them to prevent
malicious code execution.
Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
lisp/org-macs.el | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/lisp/org-macs.el b/lisp/org-macs.el
index 907e8bed7..95af9e45e 100644
--- a/lisp/org-macs.el
+++ b/lisp/org-macs.el
@@ -1593,6 +1593,37 @@ (defun org-sxhash-safe (obj &optional counter)
(puthash hash obj org-sxhash-objects)
(puthash obj hash org-sxhash-hashes)))))
+(defconst org-shell-arg-literal (gensym "literal")
+ "Symbol to be used to mark shell arguments that should not be escaped.
+See `org-make-shell-command'.")
+(defun org-make-shell-command (command &rest args)
+ "Build safe shell command string to run COMMAND with ARGS.
+
+The resulting shell command is safe against malicious shell expansion.
+
+ARGS can be nil, strings, (LITERAL STRING), or a list of
+such elements. LITERAL must be the value of `org-shell-arg-literal'.
+
+Strings will be quoted with `shell-quote-argument' while \(literal
+STRING) will be used without quoting. nil values will be ignored."
+ (concat
+ command (when command " ")
+ (mapconcat
+ #'identity
+ (delq
+ nil
+ (mapcar
+ (lambda (str-def)
+ (pcase str-def
+ (`(or nil "") nil)
+ ((pred stringp) (shell-quote-argument str-def))
+ (`(,(pred (eq org-shell-arg-literal)) ,(and (pred stringp) str))
+ str)
+ ((pred listp) (apply #'org-make-shell-command nil str-def))
+ (_ (error "Unknown ARG specification: %S" str-def))))
+ args))
+ " ")))
+
(defun org-compile-file (source process ext &optional err-msg log-buf spec)
"Compile a SOURCE file using PROCESS.
--
2.41.0
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0002-org-babel-execute-sqlite-Fix-shell-arg-expansion-vul.patch --]
[-- Type: text/x-patch, Size: 2633 bytes --]
From d7a8dd47aa06e715b6bb213914d43f973c6cb413 Mon Sep 17 00:00:00 2001
Message-ID: <d7a8dd47aa06e715b6bb213914d43f973c6cb413.1692601432.git.yantar92@posteo.net>
In-Reply-To: <dfc03c0330b96ff4fbe14df39ba895427b8fd004.1692601432.git.yantar92@posteo.net>
References: <dfc03c0330b96ff4fbe14df39ba895427b8fd004.1692601432.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:59:12 +0300
Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion
vulnerability
* lisp/ob-sqlite.el (org-babel-execute:sqlite): Use
`org-make-shell-command' to escape the strings taken from Org file.
This will prevent abusing shell expansion.
Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
lisp/ob-sqlite.el | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el
index 7510e5158..27e495fce 100644
--- a/lisp/ob-sqlite.el
+++ b/lisp/ob-sqlite.el
@@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params)
(with-temp-buffer
(insert
(org-babel-eval
- (org-fill-template
- "%cmd %header %separator %nullvalue %others %csv %db "
- (list
- (cons "cmd" org-babel-sqlite3-command)
- (cons "header" (if headers-p "-header" "-noheader"))
- (cons "separator"
- (if separator (format "-separator %s" separator) ""))
- (cons "nullvalue"
- (if nullvalue (format "-nullvalue %s" nullvalue) ""))
- (cons "others"
- (mapconcat
- (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
- others " "))
- ;; for easy table parsing, default header type should be -csv
- (cons "csv" (if (or (member :csv others) (member :column others)
- (member :line others) (member :list others)
- (member :html others) separator)
- ""
- "-csv"))
- (cons "db" (or db ""))))
+ (org-make-shell-command
+ org-babel-sqlite3-command
+ (if headers-p "-header" "-noheader")
+ (when separator (format "-separator %s" separator))
+ (when nullvalue (format "-nullvalue %s" nullvalue))
+ (mapcar
+ (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
+ others)
+ ;; for easy table parsing, default header type should be -csv
+ (unless (or (member :csv others) (member :column others)
+ (member :line others) (member :list others)
+ (member :html others) separator)
+ "-csv")
+ db)
;; body of the code block
(org-babel-expand-body:sqlite body params)))
(org-babel-result-cond result-params
--
2.41.0
[-- Attachment #4: Type: text/plain, Size: 224 bytes --]
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
next prev parent reply other threads:[~2023-08-21 7:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 10:59 [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
2023-08-13 7:52 ` Ihor Radchenko
2023-08-17 16:11 ` Max Nikulin
2023-08-18 8:43 ` Ihor Radchenko
2023-08-18 10:56 ` Max Nikulin
2023-08-18 11:05 ` Ihor Radchenko
2023-08-19 5:58 ` Max Nikulin
2023-08-21 7:04 ` Ihor Radchenko [this message]
2023-08-21 15:05 ` Max Nikulin
2023-08-22 9:46 ` Ihor Radchenko
2023-08-28 8:15 ` Max Nikulin
2023-08-29 8:02 ` Ihor Radchenko
2023-08-21 7:09 ` [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands) Ihor Radchenko
2023-08-17 16:29 ` [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h6os6fm6.fsf@localhost \
--to=yantar92@posteo.net \
--cc=emacs-orgmode@gnu.org \
--cc=manikulin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).