1. 17
  1.  

  2. 28

    When you curl host:3000?FOO=bar it calls echo.sh with the FOO=bar environment variable.

    curl host:3000?FOO=';rm -rf *'

    1. 1

      False, sorry.

      $ a=';printf asdf'
      
      $ $a
      No command ';printf' found.
      
      $ ls $a
      ls: ;printf: No such file or directory
      ls: asdf: No such file or directory
      
      1. 4

        I was using raw shell input previously so there was an actual attack vector. I changed the code to make it more secure

    2. [Comment removed by author]

      1. 2

        They call it AWS Lambda ™ now.

      2. 6

        Forgive me if I’m ignorant, why is this different to CGI?

        1. 3

          CGI is an actual standard. This is just a quick hack I threw together to serve stand alone executables.

        2. 6

          I’m making another version with a lower level execute command to mitigate shell attacks

          1. 3

            There’s a shell injection attack in there, isn’t it?

            https://github.com/tjgillies/unix-web/blob/master/src/server.cr#L7-L10

            1. 1

              This looks quite interesting. Isn’t the way Query params are used as the Env a possible vector for maliciousness though, e.g. overwriting existing relied-upon environment variables. Perhaps this could be alleviated by prefixing the query string parameter names when loaded as the environment (e.g. HTTP_FOO instead of FOO).

              This is quite similar to the register_globals issue that PHP suffered for a long time with.

              1. 1

                Yeah, this is pretty much just a simpler version of CGI. CGI uses QUERY_PARAMS to store the entire params. You make a good point though, can overload apps that are using something else. Although I’m not sure what you would gain since these are explicitly wired to webframework in config file.

                1. 1

                  Wouldn’t the gain be security/stability?

                  1. 1

                    Yeah, theoretically. but one of the assumptions Im using while running this for myself is that I’m not using pre-existing ENV vars in the executables I’m using. That can easily change tho, so thanks for bringing it up.