From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id ACSeOCKm7WR27wAAauVa8A:P1 (envelope-from ) for ; Tue, 29 Aug 2023 10:02:43 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id ACSeOCKm7WR27wAAauVa8A (envelope-from ) for ; Tue, 29 Aug 2023 10:02:42 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4FB625AD13 for ; Tue, 29 Aug 2023 10:02:42 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=SUBinHBm; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1693296162; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=rgfMlfZ+bdq3V8rUzajSrp4dZKGwhNMHckUQUzba8Q0=; b=F1kI49XBkzPAdnJVd2jTNwmbyrCBjtd2UwSrm2CvcaEgyxJcpRlbGYOIYX+G2sR4C2deAY pwhIaJLWuqIDJh5VXts0FKV7fueHjTD5NdfdDupURMnOBFU/soPXH3rOd+CcrI6U3mmGLU m65mLqeDYXI+3dOpjdgBl22g80eEX9fKg0H8G7U+jNhw5P1aZ/9Emeva7b+dCG1kIlUA2d 6z+1qelKx4qPCB8gVVW+/KrYTpYNbubmD1z1hVuELRk77A3iR3ruN5JsowOmKXlcXLP7CC Eau0vmZXanjzmVsKGHbemAS/ReLsP51TDVBVAFyOvx0hG7xxEboSlGbQCUUB5g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=SUBinHBm; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Seal: i=1; s=key1; d=yhetil.org; t=1693296162; a=rsa-sha256; cv=none; b=Wp1UQuWQccqPQiueiSae0IHdnNYCIfFcjGe4+Ng6ob3g9RDPfB9f9PLkjRuENYoFt/ZJ+9 oVFSchF7XNJmRjVXhiWyavXqgEwv6sPOeoDb9Wq3XAbjXlpRbGgj0EIi3HwkhSyAqZ1bv/ m1FMUxvxWtHBIhya9SILm5XMeE9diHOmmtBuUWigm2E/jd+SlWAn2nEAKU7OkpbydVzZkH aysK+NOsBiaWgsJ5mUMQ2QTFHX3nvTyZTuy/KX+0tkSeDIdHEuSEF1+LbQ5qy+dmtpcDGh hiEQ06yWCF19WGFYZwHtcaFGkwCgduaiw/MAhp4xuzCpqCMcVMiweR1FFnE2nw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qatfb-0003Jy-75; Tue, 29 Aug 2023 04:01:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qatfY-0003Jl-VX for emacs-orgmode@gnu.org; Tue, 29 Aug 2023 04:01:49 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qatfV-0006E2-6o for emacs-orgmode@gnu.org; Tue, 29 Aug 2023 04:01:48 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 1C692240101 for ; Tue, 29 Aug 2023 10:01:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1693296103; bh=IV4s7rUSGapTHBRbnTNW4ynqaeNgcCniibqqW/h8RZo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From; b=SUBinHBm7CnGggT4FFO4pKszxLNQcNEN8Z3zgor6OCAG1imMwrJbASufRYfROmY/1 D5zCNJP4YFxVJ7Tr5Ar1Ri/fd+aZuKQtLGJztDo+Dp9Q0TMpEpvb2VolWR+NazHij4 /FU56qbWfFxkmwL97QbRTdfet3A5h1lhe3KrCogy3kWFBpcgewFJNhs2k93yCwMzpl pQBTI7fuojuMNXDacz/4Y4csruuzTJQLunMhM0K2dfYSm/T0OEzfCBFRcksglc/G6c KviJ6LHoWirvaRDvWdTpuPGhgZp+m/y8bhyB+2nUi4qEcIScz9Q/z82BnnaPIvMSPP J+9+viaUzqRvA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4RZfyZ39mPz6tm4; Tue, 29 Aug 2023 10:01:42 +0200 (CEST) From: Ihor Radchenko To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands In-Reply-To: References: <87zg2vl6qc.fsf@localhost> <87cyzkpwp4.fsf@localhost> <87o7j43921.fsf@localhost> <87h6os6fm6.fsf@localhost> <87y1i31kb3.fsf@localhost> Date: Tue, 29 Aug 2023 08:02:13 +0000 Message-ID: <87ledu1dkq.fsf@localhost> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Migadu-Spam-Score: -9.42 X-Spam-Score: -9.42 X-Migadu-Queue-Id: 4FB625AD13 X-TUID: H/KNY+a4H2lA --=-=-= Content-Type: text/plain Max Nikulin writes: > On 22/08/2023 16:46, Ihor Radchenko wrote: >> See the updated version of the patches attached. > > Thank you, I do not see apparent issues with code any more. Commit > message needs an update, apostrophes in the doc string should be > escaped. Feel free to ignore other comments since there are other issues > and investing excessive time into polishing of this one is not reasonable. Thanks for the feedback! I have updated the patch, except for the comments I reply to below. >> + `(org-make-shell-command \"command\" \"-l\" >> + \"value with spaces\" >> + (,org-shell-arg-tag-unescaped \"$HOME\") >> + (mapcar #'identity files))) > > Is `mapcar' necessary here? Anyway `delq' is called on another result of > `mapcar', so the function should not do any destructive list modification. The idea was to highlight that `files' is a list. I now changed this to files ; list variable > An idea that may be ignored: make the constant internal and add > (defsubst org-make-shell-command-unescaped (arg) > (list org--shell-arg-tag-unescaped arg)) > > to avoid `, noise in `(,org-shell-arg-tag-unescaped STRING). Good idea. I also converted `org-make-shell-command' into defsubst that cannot be reliably adviced. To reduce attack vectors further. >> +will shell-escape \"-l\", \"value with spaces\", and each non-nil member of > > There is nothing to escape in "-l". I deliberately list all the arguments, detailing which are escaped and which are not. > Perhaps it deserves a mention that COMMAND is passed unquoted to be > suitable for commands with arguments as defcustom user option values. To > escape it pass nil as fist argument and add COMMAND before ARGS. >> - (org-fill-template > > Should an explicit warning be added to `org-fill-template' that enough > care is required to escape values if it is used to build a shell command? I don't think so. `org-fill-template' is usually not used to build shell command. ob-sqlite is the only instance of such use in Org code. Other backends use different Elisp means to build shell command strings. So, adding warning to `org-fill-template' docstring will not achieve much. The new version of the org-macs patch attached. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-org-macs-New-common-API-function-to-quote-shell-argu.patch >From 9e0128b205f568795d8c4688a7a94c175b1b2007 Mon Sep 17 00:00:00 2001 Message-ID: <9e0128b205f568795d8c4688a7a94c175b1b2007.1693295856.git.yantar92@posteo.net> From: Ihor Radchenko Date: Mon, 21 Aug 2023 09:57:50 +0300 Subject: [PATCH] org-macs: New common API function to quote shell arguments * lisp/org-macs.el (org-shell-arg-tag-unescaped): New auxiliary constant. (org-make-shell-command): New function that returns shell command built from individual shell arguments, escaping them to prevent malicious code execution. Link: https://orgmode.org/list/ub549k$q11$1@ciao.gmane.io --- lisp/org-macs.el | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/lisp/org-macs.el b/lisp/org-macs.el index 907e8bed7..6bcd393ce 100644 --- a/lisp/org-macs.el +++ b/lisp/org-macs.el @@ -1593,6 +1593,57 @@ (defun org-sxhash-safe (obj &optional counter) (puthash hash obj org-sxhash-objects) (puthash obj hash org-sxhash-hashes))))) +;; We use `gensym' to avoid malicious code know in advance the symbol +;; used to prevent escaping. +(defconst org-shell-arg-tag-unescaped (gensym "literal") + "Symbol to be used to mark shell arguments that should not be escaped. +See `org-make-shell-command'.") +;; We are deliberately using `defsubst' below, to make it harder to +;; advice this function. +(defsubst org-shell-arg-unescaped (string-arg) + "Mark STRING-ARG argument to be unescaped in `org-make-shell-command'." + (list org-shell-arg-tag-unescaped string-arg)) +(defsubst org-make-shell-command (command &rest args) + "Build safe shell command string to run COMMAND with ARGS. + +The resulting shell command is safe against malicious shell expansion. + +This function is used to avoid unexpected shell expansion when +building shell command using header arguments from Org babel blocks. + +ARGS can be nil, strings, the return value of (org-shell-arg-unescaped +STRING), or a list of such elements. For example, + + (let ((files \\='(\"a.txt\" \"b.txt\" nil \"$HOME.txt\"))) + (org-make-shell-command \"command\" \"-l\" + \"value with spaces\" + (org-shell-arg-unescaped \"$HOME\") + files ; list variable + )) + +will shell-escape \"-l\", \"value with spaces\", and each non-nil member of +FILES list, but leave \"$HOME\" to be shell-expanded. + +COMMAND itself can contain shell expansion constructs - no escaping +will be performed." + (concat + command (when command " ") + (mapconcat + #'identity + (delq + nil + (mapcar + (lambda (str-def) + (pcase str-def + (`nil nil) + ((pred stringp) (shell-quote-argument str-def)) + (`(,(pred (eq org-shell-arg-tag-unescaped)) ,(and (pred stringp) str)) + str) + ((pred listp) (apply #'org-make-shell-command nil str-def)) + (_ (error "Unknown ARG specification: %S" str-def)))) + args)) + " "))) + (defun org-compile-file (source process ext &optional err-msg log-buf spec) "Compile a SOURCE file using PROCESS. -- 2.42.0 --=-=-= Content-Type: text/plain -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at --=-=-=--