From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id YC4GICda4GRmvwAASxT56A (envelope-from ) for ; Sat, 19 Aug 2023 07:59:03 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id gBEDICda4GSnQgEAauVa8A (envelope-from ) for ; Sat, 19 Aug 2023 07:59:03 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1999953499 for ; Sat, 19 Aug 2023 07:59:03 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1692424743; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=SIZXjhiduQ6G8p7yYCSheG/1pXvmGbk4sLDJ54/k6gs=; b=RphIlmqO2jDQyBGEKmjjiyBt+gorZzHAslFO9DCyWosAY1EblMFc1J7AFMTCNlssifG7vq AIZiImbXLOBQaDQYz/7qhc5uPDagzEMZXuQ3prYia6nkRR6bt2tWtKz9TstFlqdFup9CT/ EgzSWQhXl4XaIKDzfWRuSbEjmi+SAvVbdyd1z96NA2tk/gon2qevtgqxAEEb3oX7K7Fb7U ZffWhznLXtt+7g7qI9We0xi/uTliBKTlMEI41quobkbZ646vo1glh+hvoaS06jpb5pesqm FL2LRpL5hrDTyHf2T1n+a5nQ2fTQeC25mXYd23pb6nWWwuBD+Xk4qA73Lu2cjQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692424743; a=rsa-sha256; cv=none; b=DGc4Zny3joDCLG0rwqUujOGS00fQCmLTVN6vp0qNur25qZ7hCf/bdr5MgQAFhKrThQNVYD 0AcIieXxGL4Z1FUGeTAIy072Ci7gDqJdCNFTb8k0U30HilDR0kjJ4vzENbZ0zeUNjcGO5Q SSkY99GdBwnano5tBx7cMC2y5EeU1lXVdXcP54G++Ggo0STGkyqN6Ieuo+BXI/3SrA9Pk0 CSOrYFpQvYVZZsqwpjc9h4GfYXS4YNXWIWqdVjeRmOHsnslbCPgVTznu0uTUdH9WD14kFF i+zbQulPrxtRD9Q1z0Sh6QhoINNphs0zQVAE/j6XOOptv+w/XXrQh1LC7gDf7A== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qXEyV-0002sY-PW; Sat, 19 Aug 2023 01:58:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qXEyT-0002sN-V8 for emacs-orgmode@gnu.org; Sat, 19 Aug 2023 01:58:13 -0400 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qXEyR-0003rh-Vy for emacs-orgmode@gnu.org; Sat, 19 Aug 2023 01:58:13 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1qXEyP-0003Oe-89 for emacs-orgmode@gnu.org; Sat, 19 Aug 2023 07:58:09 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Date: Sat, 19 Aug 2023 12:58:02 +0700 Message-ID: References: <87zg2vl6qc.fsf@localhost> <87cyzkpwp4.fsf@localhost> <87o7j43921.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Content-Language: en-US, ru-RU In-Reply-To: <87o7j43921.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-3.454, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Migadu-Spam-Score: 0.12 X-Spam-Score: 0.12 X-Migadu-Queue-Id: 1999953499 X-TUID: VEHYPOJI4JEW On 18/08/2023 18:05, Ihor Radchenko wrote: > Max Nikulin writes: > >> Ihor, this is a list, not an expression to be evaluated. There are some >> conditions to avoid user prompts for strings, lists, etc. They are >> considered safe. >> >> This particular case is handled namely by ob-sqlite and the proposed >> function in org-macs. > > Do you have any ideas how to work around the deliberately constructed > header argument values like in your example? Perhaps `gensym' may be used to create a symbol that can not appear in a document. I am unsure if the following `pcase' variant may be improved (`(,(and s (guard (eq s ob-literal-symbol))) ,(and (pred stringp) str)) str) for ;; or ob-shell-argument-literal-symbol (defconst ob-literal-symbol (gensym "literal")) I hope, list values can not be used to bypass escaping with such approach. It is still possible to use evaluated expressions, but user prompt for such cases should be fixed anyway. P.S. Babel backends should be consistent in respect to treating options for header arguments: - use as is - expand ~user and $VAR - allow any shell expression