GNU Parallel has had a (theoretical) security issue a few years back:
https://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html

Therefore GNU Parallel tries to be conservative to avoid surprising
results. --unsafe will allow GNU parallel to run in environments and
on input that are untested and thus may cause surprising results and
even security issues, where an evil attacker can influence the
results.

Think attacks similar to Shellshock:
https://en.wikipedia.org/wiki/Shellshock_(software_bug)

This of course has a negative effect when I restrict e.g. $PWD can
only contain [-a-z0-9_+,.%@:/= ] and gives the bad experience that you
now have to use --unsafe to allow $PWD to contain other characters -
e.g. Japanese. Especially if GNU Parallel *does* the right thing. And
it is doubly bad because in version X you *must* use --unsafe, whereas
before version X you *must* not --unsafe.

So I think there is a discussion to be had here:

Should GNU Parallel just accept any input (including environment
variables) and use those? This may cause surprising results and even
security issues, because it has not been tested.

Or should GNU Parallel be restrictive and force you to use --unsafe,
when you are doing something that is not tested. If you are forced to
use --unsafe all the time for something that is safe, it is time to
file a bug report and have a discussion how to make your situation
well tested and safe.

A third option is to issue a warning instead of an error. This way the
command will run, but you will be made aware that you are doing
something untested.

Let me hear your thoughts.

/Ole

Reply via email to