1. 16
  1.  

  2. 9

    Have you considered not using system’s shell to execute commands, and instead do pipes and spawning yourself? That is, doing Julia’s backticks rather than Ruby backticks?

    I understand that that’s a lot more work, as you need to implement pipes yourself. But my understanding is that using systems shell for command execution is well-know design mistake leading to security vulnerabilities. The docs for node js exec say:

    Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

    Given the awesome semantics of JavaScript backticks (which give you direct access to string pieces and expressions), I feel pretty strongly that a library like this must be implemented without building in this vulnerability.

    See these blog posts for details:

    1. 1

      Those are good posts, but one way you can work around it in other languages is to use environment variables.

      In Python you can do:

      subprocess.call('find "$__DIR" | xargs wc -l', shell=True, env={'__DIR': untrusted_data})
      

      Now the user doesn’t have control over the contents of the shell program. I added __ to avoid conflicts with other environment variables, which is a drawback.

      Though not all languages have a convenient syntax for setting env (I’d guess node.js does though).


      One thing I realized is that awk has a better solution, that I’ve often wanted in sed, but it should be in shell too:

      awk -v name=$untrusted '{ print name }'
      

      This is better than

      awk -v "{ print $untrusted }"
      

      So you can imagine osh --declare (since -v is taken): https://github.com/oilshell/oil/issues/933

      Really any interpreter that’s used from the shell, like jq, awk, etc. needs something like this.

      1. 1

        Cool idea, I’ll add something like $.env to zx too.

        1. 1

          Actually I realized that this is not safe in bash precisely because of the things that Oil fixes. Bash And ksh Have hidden eval statements but Oil doesn’t. I might write a blog post about this.

          Env control is still a good idea though!

      2. 1

        Thanks for a review. Interesting idea, and yes it can be implemented in zx too.