[SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands)

[Ihor Radchenko]

Max Nikulin <manikulin@gmail.com> writes:

> P.S. Babel backends should be consistent in respect to treating options 
> for header arguments:
> - use as is
> - expand ~user and $VAR
> - allow any shell expression

We cannot generally know which header arg values can or cannot be
shell-expanded. It is something only individual babel backends can know.

However, there are frequently used header arguments like :cmd, where it
does make sense to allow shell expansion. But we may need to safeguard
them behind user prompt for safety, similar to what has to be done for
Elisp evaluation.

We can allow backends to specify "safety" of the header argument value
similar to how we now define the allowed values in
`org-babel-common-header-args-w-values'. Then, babel can prompt for user
confirmation every time "unsafe" argument value is encountered.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>