From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id oB/3Bw6E5GTXXAEASxT56A (envelope-from ) for ; Tue, 22 Aug 2023 11:46:54 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id QLngBw6E5GQbxgAA9RJhRA (envelope-from ) for ; Tue, 22 Aug 2023 11:46:54 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7159A37D3B for ; Tue, 22 Aug 2023 11:46:53 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=E1qwVWS8; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1692697613; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=EoRyZHLz/QWIImsooHP8fukixPajIP3EUPDmJuzmEKs=; b=cbOMud0DCqfGmjtmVq4OYVQnpignrl/SxP3PBu2rdBieFFTDZgZWJYJNRNLOB+O5mTwzgX qo1swSBX4NPA/NzLRyscvg7x3vSYNWYFPQdsvKtZGsAIFz3KSSCzjgvyFqm/w6G+KpPU9j Wk5WiFctD2jd+TWLX9jaXoNJj9V0ihKV+tagzHzmX03QxJueeMUYXyWoZ8BfarqaYsL/yZ QYvyQvj6QIU55noLUH2+iu0xsDlAkWpTDYmOLSnie2XxJ8hxFcq0V+81rJVLP3ebLmKp7m lu2RHr22wr2u9od7PNVfcbhiBpjVCBL2sYI3iLk5O1yfVqa8cf9MovVCabGsKg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=E1qwVWS8; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692697613; a=rsa-sha256; cv=none; b=g0S+K2uoIaLaj+QTynPyiF3vcWcwW2eEKDbXDUN31yxhWIdkWsULo9zzJbndJywm9c+wAw AJ90dI6dw0jwFCyoQzR6EfmcpojLAAhzRs+eMguZaGHPtfycULuI3yGVBnjfZUad1Zeco6 yiXK0YRGm/nG3zarDBy/2mJ3blz1BezOAH3Z/rnF5JZk9eI7YgpY0UGGCPDc9RDEAFo83i tHdpt/mMbf8Uo2DLQgU7Zr+CpwImqgyLRakv+JZLqM7mirKhAR1+JdX+VEKowmYxOL7x9E aPhxisFSlbOd1bhe+sNOq6LjUprvZb6DcB76j4esJKQe36jWj4RjhEmgsaBGoA== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qYNxd-0006kf-Jx; Tue, 22 Aug 2023 05:46:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qYNxa-0006kR-T2 for emacs-orgmode@gnu.org; Tue, 22 Aug 2023 05:46:02 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qYNxW-0003au-Te for emacs-orgmode@gnu.org; Tue, 22 Aug 2023 05:46:01 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 5C5EE240101 for ; Tue, 22 Aug 2023 11:45:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1692697555; bh=LEeI/gEC470PfjTvNnBR0KcVEEpWdnZYelXPdSDqPUE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From; b=E1qwVWS8sNkqgtXzVkj1CfUa2pnFpUc+tF4jrrnZtMcfUnAGfGwn894D6KQ5WBu3C NUdsi/AW/gQ0/lXmg1qoV3+aqCFBosDSNXaRl+eyLUo3RHHQ3CFAbex8a73ysRWUkO 0WoiYUQVbDQz11qMflIG1N2t0UK9l2vXsXTBiqyeK1X4DZyw6YdrrGEOTzg57Uz1G6 0Lpuqn0gT7ed/fAwj/6qy0dgR2LevAzp+dpFLH1AwiYEo3bTV2LlWsEeDdPkByiwVb Ce9L63IVY8WBgBUW13bfuCC6essDVIRxiXzQ+koa1Q5AHcshuHzxG/OLyZQU5cZyrx B95GTMCy2T5Xg== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4RVPc23tRcz9rxT; Tue, 22 Aug 2023 11:45:54 +0200 (CEST) From: Ihor Radchenko To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands In-Reply-To: References: <87zg2vl6qc.fsf@localhost> <87cyzkpwp4.fsf@localhost> <87o7j43921.fsf@localhost> <87h6os6fm6.fsf@localhost> Date: Tue, 22 Aug 2023 09:46:24 +0000 Message-ID: <87y1i31kb3.fsf@localhost> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Migadu-Spam-Score: -9.39 X-Spam-Score: -9.39 X-Migadu-Queue-Id: 7159A37D3B X-TUID: H0DSm2JgEt+O --=-=-= Content-Type: text/plain Max Nikulin writes: > On 21/08/2023 14:04, Ihor Radchenko wrote: >> +(defconst org-shell-arg-literal (gensym "literal") > > (opinion) Perhaps a better name exists. Maybe > org-shell-arg-tag-unescaped (or unquoted) > ... See the updated version of the patches attached. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-org-macs-New-common-API-function-to-quote-shell-argu.patch >From 6909d6165df11bbc256a334488d37ce0ef98523e Mon Sep 17 00:00:00 2001 Message-ID: <6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net> From: Ihor Radchenko Date: Mon, 21 Aug 2023 09:57:50 +0300 Subject: [PATCH 1/2] org-macs: New common API function to quote shell arguments * lisp/org-macs.el (org-shell-arg-literal): New auxiliary constant. (org-make-shell-command): New function that returns shell command built from individual shell arguments, escaping them to prevent malicious code execution. Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io --- lisp/org-macs.el | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/lisp/org-macs.el b/lisp/org-macs.el index 907e8bed7..73f8b59f9 100644 --- a/lisp/org-macs.el +++ b/lisp/org-macs.el @@ -1593,6 +1593,46 @@ (defun org-sxhash-safe (obj &optional counter) (puthash hash obj org-sxhash-objects) (puthash obj hash org-sxhash-hashes))))) +(defconst org-shell-arg-tag-unescaped (gensym "literal") + "Symbol to be used to mark shell arguments that should not be escaped. +See `org-make-shell-command'.") +(defun org-make-shell-command (command &rest args) + "Build safe shell command string to run COMMAND with ARGS. + +The resulting shell command is safe against malicious shell expansion. + +This function is used to avoid unexpected shell expansion when +building shell command using header arguments from Org babel blocks. + +ARGS can be nil, strings, `(,org-shell-arg-tag-unescaped STRING), or a +list of such elements. For example, + + (let ((files '(\"a.txt\" \"b.txt\" nil \"$HOME.txt\"))) + `(org-make-shell-command \"command\" \"-l\" + \"value with spaces\" + (,org-shell-arg-tag-unescaped \"$HOME\") + (mapcar #'identity files))) + +will shell-escape \"-l\", \"value with spaces\", and each non-nil member of +FILES list, but leave \"$HOME\" to be expanded." + (concat + command (when command " ") + (mapconcat + #'identity + (delq + nil + (mapcar + (lambda (str-def) + (pcase str-def + (`nil nil) + ((pred stringp) (shell-quote-argument str-def)) + (`(,(pred (eq org-shell-arg-tag-unescaped)) ,(and (pred stringp) str)) + str) + ((pred listp) (apply #'org-make-shell-command nil str-def)) + (_ (error "Unknown ARG specification: %S" str-def)))) + args)) + " "))) + (defun org-compile-file (source process ext &optional err-msg log-buf spec) "Compile a SOURCE file using PROCESS. -- 2.41.0 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-org-babel-execute-sqlite-Fix-shell-arg-expansion-vul.patch >From db0300d18b7d2986eddd4869b73f5702fb429e93 Mon Sep 17 00:00:00 2001 Message-ID: In-Reply-To: <6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net> References: <6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net> From: Ihor Radchenko Date: Mon, 21 Aug 2023 09:59:12 +0300 Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion vulnerability * lisp/ob-sqlite.el (org-babel-execute:sqlite): Use `org-make-shell-command' to escape the strings taken from Org file. This will prevent abusing shell expansion. Reported-by: Max Nikulin Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io --- lisp/ob-sqlite.el | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el index 7510e5158..027f0a72d 100644 --- a/lisp/ob-sqlite.el +++ b/lisp/ob-sqlite.el @@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params) (with-temp-buffer (insert (org-babel-eval - (org-fill-template - "%cmd %header %separator %nullvalue %others %csv %db " - (list - (cons "cmd" org-babel-sqlite3-command) - (cons "header" (if headers-p "-header" "-noheader")) - (cons "separator" - (if separator (format "-separator %s" separator) "")) - (cons "nullvalue" - (if nullvalue (format "-nullvalue %s" nullvalue) "")) - (cons "others" - (mapconcat - (lambda (arg) (format "-%s" (substring (symbol-name arg) 1))) - others " ")) - ;; for easy table parsing, default header type should be -csv - (cons "csv" (if (or (member :csv others) (member :column others) - (member :line others) (member :list others) - (member :html others) separator) - "" - "-csv")) - (cons "db" (or db "")))) + (org-make-shell-command + org-babel-sqlite3-command + (if headers-p "-header" "-noheader") + (when separator (list "-separator" separator)) + (when nullvalue (list "-nullvalue" nullvalue)) + (mapcar + (lambda (arg) (format "-%s" (substring (symbol-name arg) 1))) + others) + ;; for easy table parsing, default header type should be -csv + (unless (or (member :csv others) (member :column others) + (member :line others) (member :list others) + (member :html others) separator) + "-csv") + db) ;; body of the code block (org-babel-expand-body:sqlite body params))) (org-babel-result-cond result-params -- 2.41.0 --=-=-= Content-Type: text/plain -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at --=-=-=--