Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands

[Ihor Radchenko]

Max Nikulin <manikulin@gmail.com> writes:

> On 22/08/2023 16:46, Ihor Radchenko wrote:
>> See the updated version of the patches attached.
>
> Thank you, I do not see apparent issues with code any more. Commit 
> message needs an update, apostrophes in the doc string should be 
> escaped. Feel free to ignore other comments since there are other issues 
> and investing excessive time into polishing of this one is not reasonable.

Thanks for the feedback!
I have updated the patch, except for the comments I reply to below.

>> +  `(org-make-shell-command \"command\" \"-l\"
>> +      \"value with spaces\"
>> +      (,org-shell-arg-tag-unescaped \"$HOME\")
>> +      (mapcar #'identity files)))
>
> Is `mapcar' necessary here? Anyway `delq' is called on another result of 
> `mapcar', so the function should not do any destructive list modification.

The idea was to highlight that `files' is a list.
I now changed this to

 files ; list variable

> An idea that may be ignored: make the constant internal and add
> (defsubst org-make-shell-command-unescaped (arg)
>   (list org--shell-arg-tag-unescaped arg))
>
> to avoid `, noise in `(,org-shell-arg-tag-unescaped STRING).

Good idea. I also converted `org-make-shell-command' into defsubst that
cannot be reliably adviced. To reduce attack vectors further.

>> +will shell-escape \"-l\", \"value with spaces\", and each non-nil member of
>
> There is nothing to escape in "-l".

I deliberately list all the arguments, detailing which are escaped and
which are not.

> Perhaps it deserves a mention that COMMAND is passed unquoted to be 
> suitable for commands with arguments as defcustom user option values. To 
> escape it pass nil as fist argument and add COMMAND before ARGS.

>> -    (org-fill-template
>
> Should an explicit warning be added to `org-fill-template' that enough 
> care is required to escape values if it is used to build a shell command?

I don't think so. `org-fill-template' is usually not used to build shell
command. ob-sqlite is the only instance of such use in Org code. Other
backends use different Elisp means to build shell command strings. So,
adding warning to `org-fill-template' docstring will not achieve much.

The new version of the org-macs patch attached.

>From 9e0128b205f568795d8c4688a7a94c175b1b2007 Mon Sep 17 00:00:00 2001
Message-ID: 
<9e0128b205f568795d8c4688a7a94c175b1b2007.1693295856.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Mon, 21 Aug 2023 09:57:50 +0300
Subject: [PATCH] org-macs: New common API function to quote shell arguments

* lisp/org-macs.el (org-shell-arg-tag-unescaped): New auxiliary
constant.
(org-make-shell-command): New function that returns shell command
built from individual shell arguments, escaping them to prevent
malicious code execution.

Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io
---
 lisp/org-macs.el | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/lisp/org-macs.el b/lisp/org-macs.el
index 907e8bed7..6bcd393ce 100644
--- a/lisp/org-macs.el
+++ b/lisp/org-macs.el
@@ -1593,6 +1593,57 @@ (defun org-sxhash-safe (obj &optional counter)
          (puthash hash obj org-sxhash-objects)
          (puthash obj hash org-sxhash-hashes)))))
 
+;; We use `gensym' to avoid malicious code know in advance the symbol
+;; used to prevent escaping.
+(defconst org-shell-arg-tag-unescaped (gensym "literal")
+  "Symbol to be used to mark shell arguments that should not be escaped.
+See `org-make-shell-command'.")
+;; We are deliberately using `defsubst' below, to make it harder to
+;; advice this function.
+(defsubst org-shell-arg-unescaped (string-arg)
+  "Mark STRING-ARG argument to be unescaped in `org-make-shell-command'."
+  (list org-shell-arg-tag-unescaped string-arg))
+(defsubst org-make-shell-command (command &rest args)
+  "Build safe shell command string to run COMMAND with ARGS.
+
+The resulting shell command is safe against malicious shell expansion.
+
+This function is used to avoid unexpected shell expansion when
+building shell command using header arguments from Org babel blocks.
+
+ARGS can be nil, strings, the return value of (org-shell-arg-unescaped
+STRING), or a list of such elements.  For example,
+
+ (let ((files \\='(\"a.txt\" \"b.txt\" nil \"$HOME.txt\")))
+   (org-make-shell-command \"command\" \"-l\"
+     \"value with spaces\"
+     (org-shell-arg-unescaped \"$HOME\")
+     files ; list variable
+     ))
+
+will shell-escape \"-l\", \"value with spaces\", and each non-nil member of
+FILES list, but leave \"$HOME\" to be shell-expanded.
+
+COMMAND itself can contain shell expansion constructs - no escaping
+will be performed."
+  (concat
+   command (when command " ")
+   (mapconcat
+    #'identity
+    (delq
+     nil
+     (mapcar
+      (lambda (str-def)
+        (pcase str-def
+          (`nil nil)
+          ((pred stringp) (shell-quote-argument str-def))
+          (`(,(pred (eq org-shell-arg-tag-unescaped)) ,(and (pred stringp) 
str))
+           str)
+          ((pred listp) (apply #'org-make-shell-command nil str-def))
+          (_ (error "Unknown ARG specification: %S" str-def))))
+      args))
+    " ")))
+
 (defun org-compile-file (source process ext &optional err-msg log-buf spec)
   "Compile a SOURCE file using PROCESS.
 
-- 
2.42.0

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>