Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands

[Ihor Radchenko]

Max Nikulin <manikulin@gmail.com> writes:

> On 21/08/2023 14:04, Ihor Radchenko wrote:
>> +(defconst org-shell-arg-literal (gensym "literal")
>
> (opinion) Perhaps a better name exists. Maybe 
> org-shell-arg-tag-unescaped (or unquoted)
> ...

See the updated version of the patches attached.

>From 6909d6165df11bbc256a334488d37ce0ef98523e Mon Sep 17 00:00:00 2001
Message-ID: 
<6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:57:50 +0300
Subject: [PATCH 1/2] org-macs: New common API function to quote shell
 arguments

* lisp/org-macs.el (org-shell-arg-literal): New auxiliary constant.
(org-make-shell-command): New function that returns shell command
built from individual shell arguments, escaping them to prevent
malicious code execution.

Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
 lisp/org-macs.el | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/lisp/org-macs.el b/lisp/org-macs.el
index 907e8bed7..73f8b59f9 100644
--- a/lisp/org-macs.el
+++ b/lisp/org-macs.el
@@ -1593,6 +1593,46 @@ (defun org-sxhash-safe (obj &optional counter)
          (puthash hash obj org-sxhash-objects)
          (puthash obj hash org-sxhash-hashes)))))
 
+(defconst org-shell-arg-tag-unescaped (gensym "literal")
+  "Symbol to be used to mark shell arguments that should not be escaped.
+See `org-make-shell-command'.")
+(defun org-make-shell-command (command &rest args)
+  "Build safe shell command string to run COMMAND with ARGS.
+
+The resulting shell command is safe against malicious shell expansion.
+
+This function is used to avoid unexpected shell expansion when
+building shell command using header arguments from Org babel blocks.
+
+ARGS can be nil, strings, `(,org-shell-arg-tag-unescaped STRING), or a
+list of such elements.  For example,
+
+ (let ((files '(\"a.txt\" \"b.txt\" nil \"$HOME.txt\")))
+  `(org-make-shell-command \"command\" \"-l\"
+      \"value with spaces\"
+      (,org-shell-arg-tag-unescaped \"$HOME\")
+      (mapcar #'identity files)))
+
+will shell-escape \"-l\", \"value with spaces\", and each non-nil member of
+FILES list, but leave \"$HOME\" to be expanded."
+  (concat
+   command (when command " ")
+   (mapconcat
+    #'identity
+    (delq
+     nil
+     (mapcar
+      (lambda (str-def)
+        (pcase str-def
+          (`nil nil)
+          ((pred stringp) (shell-quote-argument str-def))
+          (`(,(pred (eq org-shell-arg-tag-unescaped)) ,(and (pred stringp) 
str))
+           str)
+          ((pred listp) (apply #'org-make-shell-command nil str-def))
+          (_ (error "Unknown ARG specification: %S" str-def))))
+      args))
+    " ")))
+
 (defun org-compile-file (source process ext &optional err-msg log-buf spec)
   "Compile a SOURCE file using PROCESS.
 
-- 
2.41.0

>From db0300d18b7d2986eddd4869b73f5702fb429e93 Mon Sep 17 00:00:00 2001
Message-ID: 
<db0300d18b7d2986eddd4869b73f5702fb429e93.1692697539.git.yantar92@posteo.net>
In-Reply-To: 
<6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net>
References: 
<6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:59:12 +0300
Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion
 vulnerability

* lisp/ob-sqlite.el (org-babel-execute:sqlite): Use
`org-make-shell-command' to escape the strings taken from Org file.
This will prevent abusing shell expansion.

Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
 lisp/ob-sqlite.el | 34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el
index 7510e5158..027f0a72d 100644
--- a/lisp/ob-sqlite.el
+++ b/lisp/ob-sqlite.el
@@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params)
     (with-temp-buffer
       (insert
        (org-babel-eval
-       (org-fill-template
-        "%cmd %header %separator %nullvalue %others %csv %db "
-        (list
-         (cons "cmd" org-babel-sqlite3-command)
-         (cons "header" (if headers-p "-header" "-noheader"))
-         (cons "separator"
-               (if separator (format "-separator %s" separator) ""))
-         (cons "nullvalue"
-               (if nullvalue (format "-nullvalue %s" nullvalue) ""))
-         (cons "others"
-               (mapconcat
-                (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
-                others " "))
-         ;; for easy table parsing, default header type should be -csv
-         (cons "csv" (if (or (member :csv others) (member :column others)
-                             (member :line others) (member :list others)
-                             (member :html others) separator)
-                         ""
-                       "-csv"))
-          (cons "db" (or db ""))))
+        (org-make-shell-command
+         org-babel-sqlite3-command
+         (if headers-p "-header" "-noheader")
+         (when separator (list "-separator" separator))
+         (when nullvalue (list "-nullvalue" nullvalue))
+         (mapcar
+         (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
+         others)
+         ;; for easy table parsing, default header type should be -csv
+         (unless (or (member :csv others) (member :column others)
+                    (member :line others) (member :list others)
+                    (member :html others) separator)
+          "-csv")
+         db)
        ;; body of the code block
        (org-babel-expand-body:sqlite body params)))
       (org-babel-result-cond result-params
-- 
2.41.0


-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>