emacs-orgmode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend

From: Daniel Kraus
Subject: Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
Date: Sun, 14 Nov 2021 17:30:43 +0100 
Hi!

Max Nikulin <manikulin@gmail.com> writes:

> On 14/11/2021 22:28, Daniel Kraus wrote:
>> +(defun ob-clojure-escape-quotes (str-val)
>> +  "Escape quotes for STR-VAL."
>> +  (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL))
>> +
>> +(defun ob-clojure-eval-with-babashka (bb expanded)
>> +  "Evaluate EXPANDED code block using BB (babashka or nbb)."
>> +  (let ((escaped (ob-clojure-escape-quotes expanded)))
>> +    (shell-command-to-string
>> +     (concat bb " -e \"" escaped "\""))))
>
> Does not it an open door for security vulnerabilities? Consider a string
> somewhere in the code: "`echo arbitrary code execution`". Only outer quotes 
> are
> escaped.

The escaping is not done for security reasons.
When I have a babel block like

#+BEGIN_SRC clojure
(str "foo" "bar")
#+END_SRC

babashka has to be called with

bb -e "(str \"foo\" \"bar\")"

etc.

Security wise someone should always be careful what he
evaluates in an org-babel block.
Nobody prevents you from evaluating

#+BEGIN_SRC shell
sudo rm -rf /
#+END_SRC

Cheers,
  Daniel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]