From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:403:4789::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id sEvCKL0N42TJhgAASxT56A
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 21 Aug 2023 09:09:49 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:4789::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id UFauKL0N42QcZAEA9RJhRA
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 21 Aug 2023 09:09:49 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4E0704325A
	for <larch@yhetil.org>; Mon, 21 Aug 2023 09:09:49 +0200 (CEST)
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=posteo.net header.s=2017 header.b=Wit352HK;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=posteo.net
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1692601789;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=AmTXbqkMG0i/QufE0Wszw7uaX+j5KPGmq9GQ3TP7EQM=;
	b=p62nUh4Jw0PCobk8YEEJ6x7GIAHQun/0Zjg++LfesuAjq47Z3cQEkux0inJtjxH1xUMUWS
	hd3OfAfiw5crAnSqIUtED2XoTEQAHXCCdfJ+HWGemWBslAo9/b7hqWOMynJq+89VJiUUAd
	Xy+o+PrZOEvnAjuJBPFRgtoAeSZauuSDDKJGxe2Xp9nCMJ8jyFi+qET7OdtiypJcL0l+lE
	DmLYcuwEQkHd/+yisLEbz3X6kQ+rAGX4kYI08z9e+ivU5rYBsmDre6++hOt16Xg59QRl0n
	J2pDH07LJHdMMY5qbVtCFcIhh/8OQchkBIEW369bktAvFtBYugels0DqYoHPMw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692601789; a=rsa-sha256; cv=none;
	b=Ruu7oZRm+WlfXv467ZyvvqK9xI2KxjK4zpFp3d1+bbO9MbMkHEypyTfSCK840Vxul6oRA/
	Mr/nN76/nFeHL0I4YZYpmFkimZK75sGdqz+yg9Q7RIBGElWWsJ6pxYokVH8bCUy0CV3Kpc
	X4x9ekrZhxrPUERvtAVt1DYP4mLhGm+p6IdHcATtk5bDH8R37ZDJ4fc/S51ZG1l1ytC805
	6BJ027K+O88GHK54wbJVvO8fhVS9mw13FhjO8MuZHHq//Ar5HOTIpKI7ZdkDK7d1ULdKnW
	qy/xGTMjhNzqbVxp0MIpI1BHTBLosWLWkVppNu6pwCrHwyCf/MxGbr4WqAvgAA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=posteo.net header.s=2017 header.b=Wit352HK;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=posteo.net
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces@gnu.org>)
	id 1qXz1w-0002Cf-RU; Mon, 21 Aug 2023 03:08:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1qXz1v-0002CW-3a
 for emacs-orgmode@gnu.org; Mon, 21 Aug 2023 03:08:51 -0400
Received: from mout01.posteo.de ([185.67.36.65])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1qXz1s-0007TM-KL
 for emacs-orgmode@gnu.org; Mon, 21 Aug 2023 03:08:50 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 8111F240027
 for <emacs-orgmode@gnu.org>; Mon, 21 Aug 2023 09:08:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1692601726; bh=h4/65+JrtF0TiGhF3fXatLMGqZGvMtd/DJtIZot3JfY=;
 h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From;
 b=Wit352HKgyxEZS7r2GF931lQSgCBY56zhnySynzTTmlQdWdDjngIOzxTaF8lG7nYK
 UbA3z2/0lqoTSuSvduPkzdnL+Bm9yywoeA9ZSylOj422WMK9mobI9tQRSVHdriB1VZ
 nXxyQNLyz9LFjVBKv3coJ+M7FiYJFG17yB6iRRZ+QkSPg79lC+Y46FNnnM/kjPZToj
 Oy5DanpLlb0pbh8aqRKZ0IKlcllbKO8FhrtH0+Tn4TJqUv2nA7inctIaldjXPRRHbZ
 K5pOeItfmkubz3FWXb6+z1F5QROG4Omm7RpfafDQZJFHA79qphaptLhMph18ig5k2C
 xYNi25VAk9qeA==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4RTk996c3Zz6twL;
 Mon, 21 Aug 2023 09:08:45 +0200 (CEST)
From: Ihor Radchenko <yantar92@posteo.net>
To: Max Nikulin <manikulin@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: [SECURITY] Shell expansion of babel header args (was:
 [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell
 commands)
In-Reply-To: <ubpllb$c7n$1@ciao.gmane.io>
References: <ub549k$q11$1@ciao.gmane.io> <87zg2vl6qc.fsf@localhost>
 <ublgqr$4j7$1@ciao.gmane.io> <87cyzkpwp4.fsf@localhost>
 <ubnipq$7qr$1@ciao.gmane.io> <87o7j43921.fsf@localhost>
 <ubpllb$c7n$1@ciao.gmane.io>
Date: Mon, 21 Aug 2023 07:09:16 +0000
Message-ID: <87edjw6fdv.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=185.67.36.65; envelope-from=yantar92@posteo.net;
 helo=mout01.posteo.de
X-Spam_score_int: -53
X-Spam_score: -5.4
X-Spam_bar: -----
X-Spam_report: (-5.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -6.77
X-Spam-Score: -6.77
X-Migadu-Queue-Id: 4E0704325A
X-Migadu-Scanner: mx1.migadu.com
X-TUID: PtI7fb5xOErf

Max Nikulin <manikulin@gmail.com> writes:

> P.S. Babel backends should be consistent in respect to treating options 
> for header arguments:
> - use as is
> - expand ~user and $VAR
> - allow any shell expression

We cannot generally know which header arg values can or cannot be
shell-expanded. It is something only individual babel backends can know.

However, there are frequently used header arguments like :cmd, where it
does make sense to allow shell expansion. But we may need to safeguard
them behind user prompt for safety, similar to what has to be done for
Elisp evaluation.

We can allow backends to specify "safety" of the header argument value
similar to how we now define the allowed values in
`org-babel-common-header-args-w-values'. Then, babel can prompt for user
confirmation every time "unsafe" argument value is encountered.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>