|
From: | Max Nikulin |
Subject: | Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands |
Date: | Thu, 17 Aug 2023 23:11:01 +0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 |
On 13/08/2023 14:52, Ihor Radchenko wrote:
What do you think about creating a new API to built shell commands and then using it across all the babel backends?
I support the idea in general, but not its particular implementation as `org-make-shell-command' in your patch.
It does not address the issue I raised.#+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)")
select 1 #+end_srcstill executes a shell command without user prompt. Moreover for org-babel such value does not look like as something that may be evaluated, it is just a list. So the proposed syntax is more explicit (and I like it), but it does not prevent unsolicited execution of shell command.
I would consider some way to specify whether COMMAND should be quoted as well. Path to an executable may contain a space or other special character at least for some shells. On the other hand it is more usual case to specify some arguments to the command.
I am unsure if a note should be added to the `org-fill-template' docstring that the function should not be used for building shell commands.
[Prev in Thread] | Current Thread | [Next in Thread] |