[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary
From: |
Ihor Radchenko |
Subject: |
Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands |
Date: |
Tue, 22 Aug 2023 09:46:24 +0000 |
Max Nikulin <manikulin@gmail.com> writes:
> On 21/08/2023 14:04, Ihor Radchenko wrote:
>> +(defconst org-shell-arg-literal (gensym "literal")
>
> (opinion) Perhaps a better name exists. Maybe
> org-shell-arg-tag-unescaped (or unquoted)
> ...
See the updated version of the patches attached.
>From 6909d6165df11bbc256a334488d37ce0ef98523e Mon Sep 17 00:00:00 2001
Message-ID:
<6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:57:50 +0300
Subject: [PATCH 1/2] org-macs: New common API function to quote shell
arguments
* lisp/org-macs.el (org-shell-arg-literal): New auxiliary constant.
(org-make-shell-command): New function that returns shell command
built from individual shell arguments, escaping them to prevent
malicious code execution.
Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
lisp/org-macs.el | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/lisp/org-macs.el b/lisp/org-macs.el
index 907e8bed7..73f8b59f9 100644
--- a/lisp/org-macs.el
+++ b/lisp/org-macs.el
@@ -1593,6 +1593,46 @@ (defun org-sxhash-safe (obj &optional counter)
(puthash hash obj org-sxhash-objects)
(puthash obj hash org-sxhash-hashes)))))
+(defconst org-shell-arg-tag-unescaped (gensym "literal")
+ "Symbol to be used to mark shell arguments that should not be escaped.
+See `org-make-shell-command'.")
+(defun org-make-shell-command (command &rest args)
+ "Build safe shell command string to run COMMAND with ARGS.
+
+The resulting shell command is safe against malicious shell expansion.
+
+This function is used to avoid unexpected shell expansion when
+building shell command using header arguments from Org babel blocks.
+
+ARGS can be nil, strings, `(,org-shell-arg-tag-unescaped STRING), or a
+list of such elements. For example,
+
+ (let ((files '(\"a.txt\" \"b.txt\" nil \"$HOME.txt\")))
+ `(org-make-shell-command \"command\" \"-l\"
+ \"value with spaces\"
+ (,org-shell-arg-tag-unescaped \"$HOME\")
+ (mapcar #'identity files)))
+
+will shell-escape \"-l\", \"value with spaces\", and each non-nil member of
+FILES list, but leave \"$HOME\" to be expanded."
+ (concat
+ command (when command " ")
+ (mapconcat
+ #'identity
+ (delq
+ nil
+ (mapcar
+ (lambda (str-def)
+ (pcase str-def
+ (`nil nil)
+ ((pred stringp) (shell-quote-argument str-def))
+ (`(,(pred (eq org-shell-arg-tag-unescaped)) ,(and (pred stringp)
str))
+ str)
+ ((pred listp) (apply #'org-make-shell-command nil str-def))
+ (_ (error "Unknown ARG specification: %S" str-def))))
+ args))
+ " ")))
+
(defun org-compile-file (source process ext &optional err-msg log-buf spec)
"Compile a SOURCE file using PROCESS.
--
2.41.0
>From db0300d18b7d2986eddd4869b73f5702fb429e93 Mon Sep 17 00:00:00 2001
Message-ID:
<db0300d18b7d2986eddd4869b73f5702fb429e93.1692697539.git.yantar92@posteo.net>
In-Reply-To:
<6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net>
References:
<6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:59:12 +0300
Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion
vulnerability
* lisp/ob-sqlite.el (org-babel-execute:sqlite): Use
`org-make-shell-command' to escape the strings taken from Org file.
This will prevent abusing shell expansion.
Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
lisp/ob-sqlite.el | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el
index 7510e5158..027f0a72d 100644
--- a/lisp/ob-sqlite.el
+++ b/lisp/ob-sqlite.el
@@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params)
(with-temp-buffer
(insert
(org-babel-eval
- (org-fill-template
- "%cmd %header %separator %nullvalue %others %csv %db "
- (list
- (cons "cmd" org-babel-sqlite3-command)
- (cons "header" (if headers-p "-header" "-noheader"))
- (cons "separator"
- (if separator (format "-separator %s" separator) ""))
- (cons "nullvalue"
- (if nullvalue (format "-nullvalue %s" nullvalue) ""))
- (cons "others"
- (mapconcat
- (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
- others " "))
- ;; for easy table parsing, default header type should be -csv
- (cons "csv" (if (or (member :csv others) (member :column others)
- (member :line others) (member :list others)
- (member :html others) separator)
- ""
- "-csv"))
- (cons "db" (or db ""))))
+ (org-make-shell-command
+ org-babel-sqlite3-command
+ (if headers-p "-header" "-noheader")
+ (when separator (list "-separator" separator))
+ (when nullvalue (list "-nullvalue" nullvalue))
+ (mapcar
+ (lambda (arg) (format "-%s" (substring (symbol-name arg) 1)))
+ others)
+ ;; for easy table parsing, default header type should be -csv
+ (unless (or (member :csv others) (member :column others)
+ (member :line others) (member :list others)
+ (member :html others) separator)
+ "-csv")
+ db)
;; body of the code block
(org-babel-expand-body:sqlite body params)))
(org-babel-result-cond result-params
--
2.41.0
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/11
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/13
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/18
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/19
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/21
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/21
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands,
Ihor Radchenko <=
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/28
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/29
- [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands), Ihor Radchenko, 2023/08/21
Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17