Verifying numeric values

[tolugboji]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, October 19th, 2021 at 3:25 AM, Greg Wooledge <greg@wooledge.org> 
wrote:

> On Mon, Oct 18, 2021 at 11:10:32PM -0400, Andy Chu wrote:
>
> > Try this:
> >
> > is_valid() {
> > local x=$1
> > local b=$(( 1 <= x && x <= 255 ))
> > return $(( ! b )) # 0 is true, 1 is false
> > }
>
> Using un-validated input in a math context is a code injection in bash.
> Given that the purpose of this function is to validate the input, one
> must assume the input may be malicious.
>
> unicorn:~$ is_valid 'a[0$(date >&2)]'
>
> Mon Oct 18 23:20:48 EDT 2021
>
> You've also got an issue with variables that point to each other (or to
>
> themselves):
>
> unicorn:~$ is_valid x && echo yes
>
> bash: x: expression recursion level exceeded (error token is "x")
>
> Again, this is a side effect of using potentially unsafe input in a
> bash math context. The value of a variable may be treated as another
> variable.
>
> An input validation function has to operate on the input as a string,
> until it's been verified to be safely numeric.

You are quite right Greg.  Is there a release that fixes code injection 
vulnerability in bash?
Or is it complicated?