Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands

[Ihor Radchenko]

Max Nikulin <manikulin@gmail.com> writes:

> ---- 8< ----
> #+begin_src elisp :results none
>    (require 'ob-sqlite)
> #+end_src
>
> #+begin_src sqlite :db /tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)
>    select 1
> #+end_src
> ---- >8 ----
>
> Executing of the sqlite code block causes creation of the 
> /tmp/ob-sqlite-vuln.log file.
>
> The cause is usage of `org-fill-template' without `shell-quote-argument'.

Confirmed.

This is clearly very common.
What do you think about creating a new API to built shell commands and
then using it across all the babel backends?

See the attached tentative diff.

diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el
index 7510e5158..27e495fce 100644
--- a/lisp/ob-sqlite.el
+++ b/lisp/ob-sqlite.el
@@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params)
     (with-temp-buffer
       (insert
        (org-babel-eval
-       (org-fill-template
-        "%cmd %header %separator %nullvalue %others %csv %db "
-        (list
-         (cons "cmd" org-babel-sqlite3-command)
-         (cons "header" (if headers-p "-header" "-noheader"))
-         (cons "separator"
-               (if separator (format "-separator %s" separator) ""))
-         (cons "nullvalue"
-               (if nullvalue (format "-nullvalue %s" nullvalue) ""))
-         (cons "others"
-               (mapconcat
-                (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
-                others " "))
-         ;; for easy table parsing, default header type should be -csv
-         (cons "csv" (if (or (member :csv others) (member :column others)
-                             (member :line others) (member :list others)
-                             (member :html others) separator)
-                         ""
-                       "-csv"))
-          (cons "db" (or db ""))))
+        (org-make-shell-command
+         org-babel-sqlite3-command
+         (if headers-p "-header" "-noheader")
+         (when separator (format "-separator %s" separator))
+         (when nullvalue (format "-nullvalue %s" nullvalue))
+         (mapcar
+         (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
+         others)
+         ;; for easy table parsing, default header type should be -csv
+         (unless (or (member :csv others) (member :column others)
+                    (member :line others) (member :list others)
+                    (member :html others) separator)
+          "-csv")
+         db)
        ;; body of the code block
        (org-babel-expand-body:sqlite body params)))
       (org-babel-result-cond result-params
diff --git a/lisp/org-macs.el b/lisp/org-macs.el
index 442c607d7..3c92c9405 100644
--- a/lisp/org-macs.el
+++ b/lisp/org-macs.el
@@ -1592,6 +1592,33 @@ (defun org-sxhash-safe (obj &optional counter)
          (puthash hash obj org-sxhash-objects)
          (puthash obj hash org-sxhash-hashes)))))
 
+(defun org-make-shell-command (command &rest args)
+  "Build safe shell command string to run COMMAND with ARGS.
+
+The resulting shell command is safe against malicious shell expansion.
+
+ARGS can be nil, strings, (literal STRING), or a list of such elements.
+Strings will be quoted with `shell-quote-argument' while
+(literal STRING) will be used without quoting.
+nil values will be ignored."
+  (concat
+   command (when command " ")
+   (mapconcat
+    #'identity
+    (delq
+     nil
+     (mapcar
+      (lambda (str-def)
+        (pcase str-def
+          (`(or nil "") nil)
+          ((pred stringp) (shell-quote-argument str-def))
+          (`(literal ,(and (pred stringp) str))
+           str)
+          ((pred listp) (apply #'org-make-shell-command nil str-def))
+          (_ (error "Unknown ARG specification: %S" str-def))))
+      args))
+    " ")))
+
 (defun org-compile-file (source process ext &optional err-msg log-buf spec)
   "Compile a SOURCE file using PROCESS.
 

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>