From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id iAusKeVX7GRYxAAAG6o9tA:P1 (envelope-from ) for ; Mon, 28 Aug 2023 10:16:37 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id iAusKeVX7GRYxAAAG6o9tA (envelope-from ) for ; Mon, 28 Aug 2023 10:16:37 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5BC9A494BC for ; Mon, 28 Aug 2023 10:16:37 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1693210597; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Q+Vb9JGezdq07j4UdF+Yy3KYHTCWR1kMOYoEWGwXQuc=; b=hyCygzKnw40G2HvUIcdk9nuoNirlpawMLPOpllBVN0pDZ4w+jjVVxYyr96VhnfVWfW8GVJ +/FCw0yr0i1sGc6d05FxvOPaj2g6ds6JlvDD1GKF/j7+207ZTFmjqEea/TbwFuGcuQzLKv JDOFf25i+yfQmXkFGysjz9WfgMkBRGk+XwMREAAyk6DbUeiDNOEBxHp0BkPZTF8uJGoVOn IyvWfKpcxp7eaW/RkV9+9pASA+/LscaTxrooe1Q5XgdhdBmpaC7yj9CMTALgaE6n75J2fr 6jJdZ+GF3FJEnSzvzALG8cIur3qL1S0n1mSh8kTSW0vZx/CmY9km8m1nW8IE/g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1693210597; a=rsa-sha256; cv=none; b=i8i6bHrAXahFirtpBmVItvZD5l6VUeu7MOGu6Bvrt0wJJinf0d4Tds9meSX7R1HUcOdx05 woQBW9rMfUMmwfetMmP3WvvB/1sYufiutUREB5l/EN8Esd79JVpzvefH81AyI5SW2COpUb LKj+YBVp3Uc40r6YuUaqEK4W680rbjetHyCoEd8axav5g59JgN1WC4X8dUapNwEkOkgk6z N0nSIXAsGUlgf57dv0KFrsHIuEmM8bDlRT0Dgnx4kP+W2jj1w+VlMW6OIKDIlV+26CLARu UGjmvww2J3ZiTIEq9piYeQKsX7jnWEosM1KSlEL3F6WmdGnLoMcQuPotyxzbIQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qaXPG-0003ys-7i; Mon, 28 Aug 2023 04:15:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qaXPE-0003yb-9p for emacs-orgmode@gnu.org; Mon, 28 Aug 2023 04:15:28 -0400 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qaXPC-0002ig-3I for emacs-orgmode@gnu.org; Mon, 28 Aug 2023 04:15:28 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1qaXP8-0007Jl-Rk for emacs-orgmode@gnu.org; Mon, 28 Aug 2023 10:15:22 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Date: Mon, 28 Aug 2023 15:15:15 +0700 Message-ID: References: <87zg2vl6qc.fsf@localhost> <87cyzkpwp4.fsf@localhost> <87o7j43921.fsf@localhost> <87h6os6fm6.fsf@localhost> <87y1i31kb3.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Content-Language: en-US, ru-RU In-Reply-To: <87y1i31kb3.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 24 X-Spam_score: 2.4 X-Spam_bar: ++ X-Spam_report: (2.4 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.414, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -5.59 X-Spam-Score: -5.59 X-Migadu-Queue-Id: 5BC9A494BC X-Migadu-Scanner: mx1.migadu.com X-TUID: jD392EXA96nT On 22/08/2023 16:46, Ihor Radchenko wrote: > See the updated version of the patches attached. Thank you, I do not see apparent issues with code any more. Commit message needs an update, apostrophes in the doc string should be escaped. Feel free to ignore other comments since there are other issues and investing excessive time into polishing of this one is not reasonable. > Subject: [PATCH 1/2] org-macs: New common API function to quote shell > arguments > > * lisp/org-macs.el (org-shell-arg-literal): New auxiliary constant. ^^^^^^^^^^^^^^^^^^^^^ You have changed its name. > (org-make-shell-command): New function that returns shell command > built from individual shell arguments, escaping them to prevent > malicious code execution. ... > +++ b/lisp/org-macs.el > @@ -1593,6 +1593,46 @@ (defun org-sxhash-safe (obj &optional counter) > (puthash hash obj org-sxhash-objects) > (puthash obj hash org-sxhash-hashes))))) > > +(defconst org-shell-arg-tag-unescaped (gensym "literal") > + "Symbol to be used to mark shell arguments that should not be escaped. > +See `org-make-shell-command'.") > +(defun org-make-shell-command (command &rest args) > + "Build safe shell command string to run COMMAND with ARGS. > + > +The resulting shell command is safe against malicious shell expansion. > + > +This function is used to avoid unexpected shell expansion when > +building shell command using header arguments from Org babel blocks. > + > +ARGS can be nil, strings, `(,org-shell-arg-tag-unescaped STRING), or a add \\= before ` and ', otherwise help formatter makes them "pretty". > +list of such elements. For example, > + > + (let ((files '(\"a.txt\" \"b.txt\" nil \"$HOME.txt\"))) > + `(org-make-shell-command \"command\" \"-l\" > + \"value with spaces\" > + (,org-shell-arg-tag-unescaped \"$HOME\") > + (mapcar #'identity files))) Is `mapcar' necessary here? Anyway `delq' is called on another result of `mapcar', so the function should not do any destructive list modification. An idea that may be ignored: make the constant internal and add (defsubst org-make-shell-command-unescaped (arg) (list org--shell-arg-tag-unescaped arg)) to avoid `, noise in `(,org-shell-arg-tag-unescaped STRING). > +will shell-escape \"-l\", \"value with spaces\", and each non-nil member of There is nothing to escape in "-l". Perhaps it deserves a mention that COMMAND is passed unquoted to be suitable for commands with arguments as defcustom user option values. To escape it pass nil as fist argument and add COMMAND before ARGS. > +FILES list, but leave \"$HOME\" to be expanded." ...by shell. > Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion > vulnerability > > - (org-fill-template Should an explicit warning be added to `org-fill-template' that enough care is required to escape values if it is used to build a shell command?