From d7a8dd47aa06e715b6bb213914d43f973c6cb413 Mon Sep 17 00:00:00 2001
Message-ID: <d7a8dd47aa06e715b6bb213914d43f973c6cb413.1692601432.git.yantar92@posteo.net>
In-Reply-To: <dfc03c0330b96ff4fbe14df39ba895427b8fd004.1692601432.git.yantar92@posteo.net>
References: <dfc03c0330b96ff4fbe14df39ba895427b8fd004.1692601432.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:59:12 +0300
Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion
 vulnerability

* lisp/ob-sqlite.el (org-babel-execute:sqlite): Use
`org-make-shell-command' to escape the strings taken from Org file.
This will prevent abusing shell expansion.

Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
 lisp/ob-sqlite.el | 34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el
index 7510e5158..27e495fce 100644
--- a/lisp/ob-sqlite.el
+++ b/lisp/ob-sqlite.el
@@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params)
     (with-temp-buffer
       (insert
        (org-babel-eval
-	(org-fill-template
-	 "%cmd %header %separator %nullvalue %others %csv %db "
-	 (list
-	  (cons "cmd" org-babel-sqlite3-command)
-	  (cons "header" (if headers-p "-header" "-noheader"))
-	  (cons "separator"
-		(if separator (format "-separator %s" separator) ""))
-	  (cons "nullvalue"
-		(if nullvalue (format "-nullvalue %s" nullvalue) ""))
-	  (cons "others"
-		(mapconcat
-		 (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
-		 others " "))
-	  ;; for easy table parsing, default header type should be -csv
-	  (cons "csv" (if (or (member :csv others) (member :column others)
-			      (member :line others) (member :list others)
-			      (member :html others) separator)
-			  ""
-			"-csv"))
-          (cons "db" (or db ""))))
+        (org-make-shell-command
+         org-babel-sqlite3-command
+         (if headers-p "-header" "-noheader")
+         (when separator (format "-separator %s" separator))
+         (when nullvalue (format "-nullvalue %s" nullvalue))
+         (mapcar
+	  (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
+	  others)
+         ;; for easy table parsing, default header type should be -csv
+         (unless (or (member :csv others) (member :column others)
+		     (member :line others) (member :list others)
+		     (member :html others) separator)
+	   "-csv")
+         db)
 	;; body of the code block
 	(org-babel-expand-body:sqlite body params)))
       (org-babel-result-cond result-params
-- 
2.41.0