emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Date: Mon, 21 Aug 2023 22:05:54 +0700	[thread overview]
Message-ID: <ubvugj$am$1@ciao.gmane.io> (raw)
In-Reply-To: <87h6os6fm6.fsf@localhost>

On 21/08/2023 14:04, Ihor Radchenko wrote:
> +(defconst org-shell-arg-literal (gensym "literal")

(opinion) Perhaps a better name exists. Maybe 
org-shell-arg-tag-unescaped (or unquoted)

> +  "Symbol to be used to mark shell arguments that should not be escaped.
> +See `org-make-shell-command'.")
> +(defun org-make-shell-command (command &rest args)
> +  "Build safe shell command string to run COMMAND with ARGS.
> +
> +The resulting shell command is safe against malicious shell expansion.
> +
> +ARGS can be nil, strings, (LITERAL STRING), or a list of

(opinion) I would give an example

     `(,ob-shell-arg-literal STRING)

to avoid "LITERAL" that is confusing from my point of view. Perhaps it 
is better to describe its purpose more clearly: prevent raw shell 
constructs in ob header arguments in Org documents unless they appear in 
evaluated expressions.

> +such elements.  LITERAL must be the value of `org-shell-arg-literal'.
> +
> +Strings will be quoted with `shell-quote-argument' while \(literal
> +STRING) will be used without quoting.  nil values will be ignored."
> +  (concat
> +   command (when command " ")
> +   (mapconcat
> +    #'identity
> +    (delq
> +     nil
> +     (mapcar
> +      (lambda (str-def)
> +        (pcase str-def
> +          (`(or nil "") nil)

An empty string may be an important argument. E.g.

     read -r -d "" var

allows to read values separated by null character (\0), e.g. from output 
of find -print0. That is why I would leave just nil.

> +         (when separator (format "-separator %s" separator))

Sorry, I made a typo previous time. It would not work. -separator and 
the separator character must *not* be combined into single argument. 
Sqlite does not support it.

     (and separator `("-separator" ,separator))

or (format "%s" separator) if it may have a type other than string.

I hope, this approach does not have unnoticed flaws.

  reply	other threads:[~2023-08-21 15:06 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-11 10:59 [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
2023-08-13  7:52 ` Ihor Radchenko
2023-08-17 16:11   ` Max Nikulin
2023-08-18  8:43     ` Ihor Radchenko
2023-08-18 10:56       ` Max Nikulin
2023-08-18 11:05         ` Ihor Radchenko
2023-08-19  5:58           ` Max Nikulin
2023-08-21  7:04             ` Ihor Radchenko
2023-08-21 15:05               ` Max Nikulin [this message]
2023-08-22  9:46                 ` Ihor Radchenko
2023-08-28  8:15                   ` Max Nikulin
2023-08-29  8:02                     ` Ihor Radchenko
2023-08-21  7:09             ` [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands) Ihor Radchenko
2023-08-17 16:29   ` [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='ubvugj$am$1@ciao.gmane.io' \
    --to=manikulin@gmail.com \
    --cc=emacs-orgmode@gnu.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).