Max Nikulin <maniku...@gmail.com> writes: > On 21/08/2023 14:04, Ihor Radchenko wrote: >> +(defconst org-shell-arg-literal (gensym "literal") > > (opinion) Perhaps a better name exists. Maybe > org-shell-arg-tag-unescaped (or unquoted) > ...
See the updated version of the patches attached.
>From 6909d6165df11bbc256a334488d37ce0ef98523e Mon Sep 17 00:00:00 2001 Message-ID: <6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yanta...@posteo.net> From: Ihor Radchenko <yanta...@posteo.net> Date: Mon, 21 Aug 2023 09:57:50 +0300 Subject: [PATCH 1/2] org-macs: New common API function to quote shell arguments * lisp/org-macs.el (org-shell-arg-literal): New auxiliary constant. (org-make-shell-command): New function that returns shell command built from individual shell arguments, escaping them to prevent malicious code execution. Link: https://orgmode.org/list/ub549k$q11$1...@ciao.gmane.io --- lisp/org-macs.el | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/lisp/org-macs.el b/lisp/org-macs.el index 907e8bed7..73f8b59f9 100644 --- a/lisp/org-macs.el +++ b/lisp/org-macs.el @@ -1593,6 +1593,46 @@ (defun org-sxhash-safe (obj &optional counter) (puthash hash obj org-sxhash-objects) (puthash obj hash org-sxhash-hashes))))) +(defconst org-shell-arg-tag-unescaped (gensym "literal") + "Symbol to be used to mark shell arguments that should not be escaped. +See `org-make-shell-command'.") +(defun org-make-shell-command (command &rest args) + "Build safe shell command string to run COMMAND with ARGS. + +The resulting shell command is safe against malicious shell expansion. + +This function is used to avoid unexpected shell expansion when +building shell command using header arguments from Org babel blocks. + +ARGS can be nil, strings, `(,org-shell-arg-tag-unescaped STRING), or a +list of such elements. For example, + + (let ((files '(\"a.txt\" \"b.txt\" nil \"$HOME.txt\"))) + `(org-make-shell-command \"command\" \"-l\" + \"value with spaces\" + (,org-shell-arg-tag-unescaped \"$HOME\") + (mapcar #'identity files))) + +will shell-escape \"-l\", \"value with spaces\", and each non-nil member of +FILES list, but leave \"$HOME\" to be expanded." + (concat + command (when command " ") + (mapconcat + #'identity + (delq + nil + (mapcar + (lambda (str-def) + (pcase str-def + (`nil nil) + ((pred stringp) (shell-quote-argument str-def)) + (`(,(pred (eq org-shell-arg-tag-unescaped)) ,(and (pred stringp) str)) + str) + ((pred listp) (apply #'org-make-shell-command nil str-def)) + (_ (error "Unknown ARG specification: %S" str-def)))) + args)) + " "))) + (defun org-compile-file (source process ext &optional err-msg log-buf spec) "Compile a SOURCE file using PROCESS. -- 2.41.0
>From db0300d18b7d2986eddd4869b73f5702fb429e93 Mon Sep 17 00:00:00 2001 Message-ID: <db0300d18b7d2986eddd4869b73f5702fb429e93.1692697539.git.yanta...@posteo.net> In-Reply-To: <6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yanta...@posteo.net> References: <6909d6165df11bbc256a334488d37ce0ef98523e.1692697539.git.yanta...@posteo.net> From: Ihor Radchenko <yanta...@posteo.net> Date: Mon, 21 Aug 2023 09:59:12 +0300 Subject: [PATCH 2/2] org-babel-execute:sqlite: Fix shell arg expansion vulnerability * lisp/ob-sqlite.el (org-babel-execute:sqlite): Use `org-make-shell-command' to escape the strings taken from Org file. This will prevent abusing shell expansion. Reported-by: Max Nikulin <maniku...@gmail.com> Link: https://orgmode.org/list/ub549k$q11$1...@ciao.gmane.io --- lisp/ob-sqlite.el | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/lisp/ob-sqlite.el b/lisp/ob-sqlite.el index 7510e5158..027f0a72d 100644 --- a/lisp/ob-sqlite.el +++ b/lisp/ob-sqlite.el @@ -77,26 +77,20 @@ (defun org-babel-execute:sqlite (body params) (with-temp-buffer (insert (org-babel-eval - (org-fill-template - "%cmd %header %separator %nullvalue %others %csv %db " - (list - (cons "cmd" org-babel-sqlite3-command) - (cons "header" (if headers-p "-header" "-noheader")) - (cons "separator" - (if separator (format "-separator %s" separator) "")) - (cons "nullvalue" - (if nullvalue (format "-nullvalue %s" nullvalue) "")) - (cons "others" - (mapconcat - (lambda (arg) (format "-%s" (substring (symbol-name arg) 1))) - others " ")) - ;; for easy table parsing, default header type should be -csv - (cons "csv" (if (or (member :csv others) (member :column others) - (member :line others) (member :list others) - (member :html others) separator) - "" - "-csv")) - (cons "db" (or db "")))) + (org-make-shell-command + org-babel-sqlite3-command + (if headers-p "-header" "-noheader") + (when separator (list "-separator" separator)) + (when nullvalue (list "-nullvalue" nullvalue)) + (mapcar + (lambda (arg) (format "-%s" (substring (symbol-name arg) 1))) + others) + ;; for easy table parsing, default header type should be -csv + (unless (or (member :csv others) (member :column others) + (member :line others) (member :list others) + (member :html others) separator) + "-csv") + db) ;; body of the code block (org-babel-expand-body:sqlite body params))) (org-babel-result-cond result-params -- 2.41.0
-- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>