From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Date: Thu, 17 Aug 2023 23:11:01 +0700 [thread overview]
Message-ID: <ublgqr$4j7$1@ciao.gmane.io> (raw)
In-Reply-To: <87zg2vl6qc.fsf@localhost>
On 13/08/2023 14:52, Ihor Radchenko wrote:
> What do you think about creating a new API to built shell commands and
> then using it across all the babel backends?
I support the idea in general, but not its particular implementation as
`org-make-shell-command' in your patch.
It does not address the issue I raised.
#+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date
>/tmp/ob-sqlite-vuln.log)")
select 1
#+end_src
still executes a shell command without user prompt. Moreover for
org-babel such value does not look like as something that may be
evaluated, it is just a list. So the proposed syntax is more explicit
(and I like it), but it does not prevent unsolicited execution of shell
command.
I would consider some way to specify whether COMMAND should be quoted as
well. Path to an executable may contain a space or other special
character at least for some shells. On the other hand it is more usual
case to specify some arguments to the command.
I am unsure if a note should be added to the `org-fill-template'
docstring that the function should not be used for building shell commands.
next prev parent reply other threads:[~2023-08-17 16:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 10:59 [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
2023-08-13 7:52 ` Ihor Radchenko
2023-08-17 16:11 ` Max Nikulin [this message]
2023-08-18 8:43 ` Ihor Radchenko
2023-08-18 10:56 ` Max Nikulin
2023-08-18 11:05 ` Ihor Radchenko
2023-08-19 5:58 ` Max Nikulin
2023-08-21 7:04 ` Ihor Radchenko
2023-08-21 15:05 ` Max Nikulin
2023-08-22 9:46 ` Ihor Radchenko
2023-08-28 8:15 ` Max Nikulin
2023-08-29 8:02 ` Ihor Radchenko
2023-08-21 7:09 ` [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands) Ihor Radchenko
2023-08-17 16:29 ` [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ublgqr$4j7$1@ciao.gmane.io' \
--to=manikulin@gmail.com \
--cc=emacs-orgmode@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).