From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id OODgFUg7kWENvwAAgWs5BA
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Nov 2021 17:37:28 +0100
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id oM6JEUg7kWE3IQAA1q6Kng
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Nov 2021 16:37:28 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id A4EB01700D
	for <larch@yhetil.org>; Sun, 14 Nov 2021 17:37:27 +0100 (CET)
Received: from localhost ([::1]:46922 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	id 1mmIVR-00048z-Ol
	for larch@yhetil.org; Sun, 14 Nov 2021 11:37:25 -0500
Received: from eggs.gnu.org ([209.51.188.92]:37042)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <daniel@kraus.my>) id 1mmIUi-00048j-0t
 for emacs-orgmode@gnu.org; Sun, 14 Nov 2021 11:36:41 -0500
Received: from mout-p-101.mailbox.org ([80.241.56.151]:56322)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <daniel@kraus.my>) id 1mmIUg-0002cD-3I
 for emacs-orgmode@gnu.org; Sun, 14 Nov 2021 11:36:39 -0500
Received: from smtp2.mailbox.org (smtp2.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:2:0])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4HsdJ31ctrzQl1t
 for <emacs-orgmode@gnu.org>; Sun, 14 Nov 2021 17:36:35 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kraus.my; s=MBO0001;
 t=1636907793;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=9N11m0Utobb7AC7P16Zc8tkvRHJsvsz7PnkqyarJ7oY=;
 b=mddU2d/t/DuDQ3WKIF9UUC8NnG6aQrwI/85EJ5rhrUQln5Y/oPinW8iFO9+SEocpEpB2a2
 5KkDNccZYVCtJinJNB77cdsN4DUlSwtbAl/89xbS0J1/MugXt+dCg7Rbx4C2ro6rjzlTkX
 XQ22md5cPcVDT5ydHHf3UG5UuXP/cDWqwsbvEksDX4cGfO5G9LzSpyHUdE7QaF+TKNyq2g
 uVLbalVMEY4amf45HfqxlJelz8ZSVzA65aGXP/iPjy1Ilm2o7JKVtvA4tGBCQLDTqhl0n7
 vL3GgFAX5Q6hqmdO/HznWKyjdz3BMna614vAeedQ9GKuReOTsZM7MsfKuOYu6g==
References: <87bl2mycxq.fsf@kraus.my> <smrd98$h53$1@ciao.gmane.io>
From: Daniel Kraus <daniel@kraus.my>
To: emacs-orgmode@gnu.org
Subject: Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
Date: Sun, 14 Nov 2021 17:30:43 +0100
In-reply-to: <smrd98$h53$1@ciao.gmane.io>
Message-ID: <87v90u66et.fsf@kraus.my>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: none client-ip=80.241.56.151; envelope-from=daniel@kraus.my;
 helo=mout-p-101.mailbox.org
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: "Emacs-orgmode" <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1636907847;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=9N11m0Utobb7AC7P16Zc8tkvRHJsvsz7PnkqyarJ7oY=;
	b=MLYWqoMiXmMRwfEjuyfMpXgIRYH8eogmQI/VcdX/TqVckHkZGK6K7X1bf4GoZzqAM7XO68
	wcTVKO1QUPrPqYOGYdWg2xaaKvqfaQ5LAiWgKDEIy7OXJXb88oNT4jSfFZRJ4UJrf06wuQ
	uuTBY06Jqj0u5iviOPx0F+Co6FMh26JBrDssyu0bHar7P9bdPEjV1G7TOvP0oMGXh/cqnd
	9bERA75kXAWbGhcKJ7Ju8mKUQdGQn54vlVmQSrOLr89h8cOpXklrqxDnYXDGbaZscF4SRM
	++apxAwt7dM1zQhd1t8RBEFAAoane8eii9/DWOUmE+FeF+Uy6LSoJPwG8auMHg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1636907847; a=rsa-sha256; cv=none;
	b=cKaBuN4ZZ5mJz/i8z2zJUlQO5v7Kfpr9orYOlXjudpmkWWI+VhvCphWB3Jwdj4M0fNKhIb
	FqFjikbKvGTBPpidj1IXMVKLOH0ViIi1WTtCAVkeBuvY+16axNUoxNk3+jngjoT+LstBZV
	fuC2UOA9IfHJkrcYzQgvPCGAtdrJ3DFcygQDBzqG3r0ElwEXReBVgoWlkC9AsGKJwuLH4R
	JFhXVLiLqXR2cb7CeqgE1v6AfueQDo2/qJ5A/jASRpDAeLhFf91xO+ZzlQvqnKqufFgEDw
	cliHPy9xIFIS/06MX60AjDqL5fuh/i9DXK8GEUddIzV6wRd+X/hp8IzL3jjJhg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=kraus.my header.s=MBO0001 header.b="mddU2d/t";
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Migadu-Spam-Score: -3.74
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=kraus.my header.s=MBO0001 header.b="mddU2d/t";
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Migadu-Queue-Id: A4EB01700D
X-Spam-Score: -3.74
X-Migadu-Scanner: scn1.migadu.com
X-TUID: GBL2evSZ6o44

Hi!

Max Nikulin <manikulin@gmail.com> writes:

> On 14/11/2021 22:28, Daniel Kraus wrote:
>> +(defun ob-clojure-escape-quotes (str-val)
>> +  "Escape quotes for STR-VAL."
>> +  (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL))
>> +
>> +(defun ob-clojure-eval-with-babashka (bb expanded)
>> +  "Evaluate EXPANDED code block using BB (babashka or nbb)."
>> +  (let ((escaped (ob-clojure-escape-quotes expanded)))
>> +    (shell-command-to-string
>> +     (concat bb " -e \"" escaped "\""))))
>
> Does not it an open door for security vulnerabilities? Consider a string
> somewhere in the code: "`echo arbitrary code execution`". Only outer quotes are
> escaped.

The escaping is not done for security reasons.
When I have a babel block like

#+BEGIN_SRC clojure
(str "foo" "bar")
#+END_SRC

babashka has to be called with

bb -e "(str \"foo\" \"bar\")"

etc.

Security wise someone should always be careful what he
evaluates in an org-babel block.
Nobody prevents you from evaluating

#+BEGIN_SRC shell
sudo rm -rf /
#+END_SRC

Cheers,
  Daniel