From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id CL+nMQRwkmF5eQAAgWs5BA (envelope-from ) for ; Mon, 15 Nov 2021 15:34:44 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YG5ULQRwkmGWAQAA1q6Kng (envelope-from ) for ; Mon, 15 Nov 2021 14:34:44 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 798FAB3A6 for ; Mon, 15 Nov 2021 15:34:44 +0100 (CET) Received: from localhost ([::1]:34758 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mmd4E-0000jr-Dy for larch@yhetil.org; Mon, 15 Nov 2021 09:34:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50116) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmd3J-0000ek-GB for emacs-orgmode@gnu.org; Mon, 15 Nov 2021 09:33:45 -0500 Received: from ciao.gmane.io ([116.202.254.214]:51614) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmd3I-00053Y-0A for emacs-orgmode@gnu.org; Mon, 15 Nov 2021 09:33:45 -0500 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mmd3F-0003af-Tk for emacs-orgmode@gnu.org; Mon, 15 Nov 2021 15:33:41 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend Date: Mon, 15 Nov 2021 21:33:33 +0700 Message-ID: References: <87bl2mycxq.fsf@kraus.my> <87v90u66et.fsf@kraus.my> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: <87v90u66et.fsf@kraus.my> Content-Language: en-US Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 5 X-Spam_score: 0.5 X-Spam_bar: / X-Spam_report: (0.5 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-2.278, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1636986884; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=5+6ooW8WZNoJzyD7jRyaT4uE3O+X3C3GGkS2M4uqRXA=; b=bVSD/jLioNeblsx03vw4WonupRPSeGQtmz9+X+v7Ci30hLcMMTyTsWHMaGuA/bGq0QEOTd 1GjCe/X9/5fl03etetq7ftN8+0ygUdKUbjcbab+EhvnEFjug+4sBzQs3Lfn5N8VeTQQVHq Zzl8fac47RccXNThm8UtILC3b2I+28YRXQDwDuzKu1Uv+rBykqKyJK3FIziLLLo9AdbGpW lz6FkIY6rU38kv7K6eDB/d6guUnZUZKn18GDZVKW+eOo1fplkidyKLW8M8QPI68zPn4FxH FcKsrMJwQNhbDjZmk3kWPvt1oNwYiEpLWKWWohFeU9xuluCuGA0386rlNGvHjg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1636986884; a=rsa-sha256; cv=none; b=OpA46+lYPhOoX6aGVVh02hKW9TGdljiiO8uwDbb64gBZyojlSVMgZstmKzH3s8hDBMSkb/ Ele7Jc4IM6avYJejrjwrbZ4SnoZnYfWYNb/hIwtTzkbjT51XAJaVBPBqBbQXGX7FuSkEuE xvWzRXv8RgAs5eUbMLVc+ts4Nh9e3Dk0Ji8ukT5z2ta+xS9RO7UrtEENxaS5/fGsEmCYEQ JUMrY0w5FkxIrS76mkK2wWDs4VskiQCyIeC89GtkRLCUrudAxBGyrQh1/LmJzXq0eFNd7U WoH8Xiy4x74y0nZl7bAmM4KatBO72OQUV3Gsz1vBN+/Vd5pKvb63GAGe4ivxcQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.34 Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 798FAB3A6 X-Spam-Score: -2.34 X-Migadu-Scanner: scn0.migadu.com X-TUID: uS1sHW2Q3kjg On 14/11/2021 23:30, Daniel Kraus wrote: > Max Nikulin writes: >> On 14/11/2021 22:28, Daniel Kraus wrote: >>> +(defun ob-clojure-escape-quotes (str-val) >>> + "Escape quotes for STR-VAL." >>> + (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL)) >>> + >>> +(defun ob-clojure-eval-with-babashka (bb expanded) >>> + "Evaluate EXPANDED code block using BB (babashka or nbb)." >>> + (let ((escaped (ob-clojure-escape-quotes expanded))) >>> + (shell-command-to-string >>> + (concat bb " -e \"" escaped "\"")))) >> >> Does not it an open door for security vulnerabilities? Consider a string >> somewhere in the code: "`echo arbitrary code execution`". Only outer quotes are >> escaped. > > The escaping is not done for security reasons. > When I have a babel block like > > #+BEGIN_SRC clojure > (str "foo" "bar") > #+END_SRC > > babashka has to be called with > > bb -e "(str \"foo\" \"bar\")" Enough shell constructs may be interpreted by shell inside double quotes before result is passed to bb. I mentioned execution of code inside backticks, variable substitutions are mostly undesired as well. I do not think, users should escape "$" inside source blocks just because you chose incomplete escaping of shell specials. The following source block must not execute echo and touch #+begin_src clojure (str "`echo $HOME`" "`touch /tmp/pwned`") #+end_src Shell should not be used to launch any command unless it is really necessary. Arguments should be passed directly to execve(2) system call as an array. Combining them into string to pass through shell interpreter to parse into argument array again is error prone. Unfortunately Emacs API related to execution of external processes is awkward. In this particular case it encourages usage of the unsafe function since there is no convenient helper that accepts binary and *list* of arguments and returns output as a string. So more verbose code is required to invoke bb without intermediate interpretation of content of argument string. In my opinion it is better than using of more reliable and tested function to escape shell specials.