emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
Date: Mon, 15 Nov 2021 21:33:33 +0700	[thread overview]
Message-ID: <smtr3v$chu$1@ciao.gmane.io> (raw)
In-Reply-To: <87v90u66et.fsf@kraus.my>

On 14/11/2021 23:30, Daniel Kraus wrote:
> Max Nikulin writes:
>> On 14/11/2021 22:28, Daniel Kraus wrote:
>>> +(defun ob-clojure-escape-quotes (str-val)
>>> +  "Escape quotes for STR-VAL."
>>> +  (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL))
>>> +
>>> +(defun ob-clojure-eval-with-babashka (bb expanded)
>>> +  "Evaluate EXPANDED code block using BB (babashka or nbb)."
>>> +  (let ((escaped (ob-clojure-escape-quotes expanded)))
>>> +    (shell-command-to-string
>>> +     (concat bb " -e \"" escaped "\""))))
>>
>> Does not it an open door for security vulnerabilities? Consider a string
>> somewhere in the code: "`echo arbitrary code execution`". Only outer quotes are
>> escaped.
> 
> The escaping is not done for security reasons.
> When I have a babel block like
> 
> #+BEGIN_SRC clojure
> (str "foo" "bar")
> #+END_SRC
> 
> babashka has to be called with
> 
> bb -e "(str \"foo\" \"bar\")"

Enough shell constructs may be interpreted by shell inside double quotes 
before result is passed to bb. I mentioned execution of code inside 
backticks, variable substitutions are mostly undesired as well. I do not 
think, users should escape "$" inside source blocks just because you 
chose incomplete escaping of shell specials.

The following source block must not execute echo and touch

#+begin_src clojure
   (str "`echo $HOME`" "`touch /tmp/pwned`")
#+end_src

Shell should not be used to launch any command unless it is really 
necessary. Arguments should be passed directly to execve(2) system call 
as an array. Combining them into string to pass through shell 
interpreter to parse into argument array again is error prone.

Unfortunately Emacs API related to execution of external processes is 
awkward. In this particular case it encourages usage of the unsafe 
function since there is no convenient helper that accepts binary and 
*list* of arguments and returns output as a string.

So more verbose code is required to invoke bb without intermediate 
interpretation of content of argument string. In my opinion it is better 
than using of more reliable and tested function to escape shell specials.



  reply	other threads:[~2021-11-15 14:34 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-14 15:28 Daniel Kraus
2021-11-14 16:25 ` Max Nikulin
2021-11-14 16:30   ` Daniel Kraus
2021-11-15 14:33     ` Max Nikulin [this message]
2021-11-15 16:05       ` Daniel Kraus
2021-11-17 16:12         ` Max Nikulin
2021-11-20 10:18           ` Daniel Kraus
2021-12-22 22:34             ` Daniel Kraus
2022-01-31  7:58         ` Daniel Kraus
2022-02-02 15:58           ` Max Nikulin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='smtr3v$chu$1@ciao.gmane.io' \
    --to=manikulin@gmail.com \
    --cc=emacs-orgmode@gnu.org \
    --subject='Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).