From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id sEvCKL0N42TJhgAASxT56A (envelope-from ) for ; Mon, 21 Aug 2023 09:09:49 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id UFauKL0N42QcZAEA9RJhRA (envelope-from ) for ; Mon, 21 Aug 2023 09:09:49 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4E0704325A for ; Mon, 21 Aug 2023 09:09:49 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=Wit352HK; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1692601789; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=AmTXbqkMG0i/QufE0Wszw7uaX+j5KPGmq9GQ3TP7EQM=; b=p62nUh4Jw0PCobk8YEEJ6x7GIAHQun/0Zjg++LfesuAjq47Z3cQEkux0inJtjxH1xUMUWS hd3OfAfiw5crAnSqIUtED2XoTEQAHXCCdfJ+HWGemWBslAo9/b7hqWOMynJq+89VJiUUAd Xy+o+PrZOEvnAjuJBPFRgtoAeSZauuSDDKJGxe2Xp9nCMJ8jyFi+qET7OdtiypJcL0l+lE DmLYcuwEQkHd/+yisLEbz3X6kQ+rAGX4kYI08z9e+ivU5rYBsmDre6++hOt16Xg59QRl0n J2pDH07LJHdMMY5qbVtCFcIhh/8OQchkBIEW369bktAvFtBYugels0DqYoHPMw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692601789; a=rsa-sha256; cv=none; b=Ruu7oZRm+WlfXv467ZyvvqK9xI2KxjK4zpFp3d1+bbO9MbMkHEypyTfSCK840Vxul6oRA/ Mr/nN76/nFeHL0I4YZYpmFkimZK75sGdqz+yg9Q7RIBGElWWsJ6pxYokVH8bCUy0CV3Kpc X4x9ekrZhxrPUERvtAVt1DYP4mLhGm+p6IdHcATtk5bDH8R37ZDJ4fc/S51ZG1l1ytC805 6BJ027K+O88GHK54wbJVvO8fhVS9mw13FhjO8MuZHHq//Ar5HOTIpKI7ZdkDK7d1ULdKnW qy/xGTMjhNzqbVxp0MIpI1BHTBLosWLWkVppNu6pwCrHwyCf/MxGbr4WqAvgAA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=Wit352HK; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qXz1w-0002Cf-RU; Mon, 21 Aug 2023 03:08:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qXz1v-0002CW-3a for emacs-orgmode@gnu.org; Mon, 21 Aug 2023 03:08:51 -0400 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qXz1s-0007TM-KL for emacs-orgmode@gnu.org; Mon, 21 Aug 2023 03:08:50 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 8111F240027 for ; Mon, 21 Aug 2023 09:08:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1692601726; bh=h4/65+JrtF0TiGhF3fXatLMGqZGvMtd/DJtIZot3JfY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From; b=Wit352HKgyxEZS7r2GF931lQSgCBY56zhnySynzTTmlQdWdDjngIOzxTaF8lG7nYK UbA3z2/0lqoTSuSvduPkzdnL+Bm9yywoeA9ZSylOj422WMK9mobI9tQRSVHdriB1VZ nXxyQNLyz9LFjVBKv3coJ+M7FiYJFG17yB6iRRZ+QkSPg79lC+Y46FNnnM/kjPZToj Oy5DanpLlb0pbh8aqRKZ0IKlcllbKO8FhrtH0+Tn4TJqUv2nA7inctIaldjXPRRHbZ K5pOeItfmkubz3FWXb6+z1F5QROG4Omm7RpfafDQZJFHA79qphaptLhMph18ig5k2C xYNi25VAk9qeA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4RTk996c3Zz6twL; Mon, 21 Aug 2023 09:08:45 +0200 (CEST) From: Ihor Radchenko To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands) In-Reply-To: References: <87zg2vl6qc.fsf@localhost> <87cyzkpwp4.fsf@localhost> <87o7j43921.fsf@localhost> Date: Mon, 21 Aug 2023 07:09:16 +0000 Message-ID: <87edjw6fdv.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=185.67.36.65; envelope-from=yantar92@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -53 X-Spam_score: -5.4 X-Spam_bar: ----- X-Spam_report: (-5.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.77 X-Spam-Score: -6.77 X-Migadu-Queue-Id: 4E0704325A X-Migadu-Scanner: mx1.migadu.com X-TUID: PtI7fb5xOErf Max Nikulin writes: > P.S. Babel backends should be consistent in respect to treating options > for header arguments: > - use as is > - expand ~user and $VAR > - allow any shell expression We cannot generally know which header arg values can or cannot be shell-expanded. It is something only individual babel backends can know. However, there are frequently used header arguments like :cmd, where it does make sense to allow shell expansion. But we may need to safeguard them behind user prompt for safety, similar to what has to be done for Elisp evaluation. We can allow backends to specify "safety" of the header argument value similar to how we now define the allowed values in `org-babel-common-header-args-w-values'. Then, babel can prompt for user confirmation every time "unsafe" argument value is encountered. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at