Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary

emacs-orgmode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary

From:	Max Nikulin
Subject:	Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Date:	Sat, 19 Aug 2023 12:58:02 +0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0

On 18/08/2023 18:05, Ihor Radchenko wrote:

Max Nikulin writes:

Ihor, this is a list, not an expression to be evaluated. There are some
conditions to avoid user prompts for strings, lists, etc. They are
considered safe.

This particular case is handled namely by ob-sqlite and the proposed
function in org-macs.


Do you have any ideas how to work around the deliberately constructed
header argument values like in your example?

Perhaps `gensym' may be used to create a symbol that can not appear in adocument. I am unsure if the following `pcase' variant may be improved


(`(,(and s (guard (eq s ob-literal-symbol))) ,(and (pred stringp) str))
 str)

for

;; or ob-shell-argument-literal-symbol
(defconst ob-literal-symbol (gensym "literal"))

I hope, list values can not be used to bypass escaping with suchapproach. It is still possible to use evaluated expressions, but userprompt for such cases should be fixed anyway.

P.S. Babel backends should be consistent in respect to treating optionsfor header arguments:

- use as is
- expand ~user and $VAR
- allow any shell expression

[Prev in Thread]

Current Thread

[Next in Thread]

[BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/11
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/13
  - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/18
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin <=
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/21
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/21
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/22
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/28
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/29
    - [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands), Ihor Radchenko, 2023/08/21
  - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17

Prev by Date: Clarification on blank lines following list items
Next by Date: Re: Inconvenient end-of-file behavior in org-mode 9.6 (emacs 29.1)
Previous by thread: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Next by thread: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Index(es):
- Date
- Thread