Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend

emacs-orgmode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend

From:	Max Nikulin
Subject:	Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
Date:	Mon, 15 Nov 2021 21:33:33 +0700
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0

On 14/11/2021 23:30, Daniel Kraus wrote:

Max Nikulin writes:

On 14/11/2021 22:28, Daniel Kraus wrote:

+(defun ob-clojure-escape-quotes (str-val)
+  "Escape quotes for STR-VAL."
+  (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL))
+
+(defun ob-clojure-eval-with-babashka (bb expanded)
+  "Evaluate EXPANDED code block using BB (babashka or nbb)."
+  (let ((escaped (ob-clojure-escape-quotes expanded)))
+    (shell-command-to-string
+     (concat bb " -e \"" escaped "\""))))


Does not it an open door for security vulnerabilities? Consider a string
somewhere in the code: "`echo arbitrary code execution`". Only outer quotes are
escaped.


The escaping is not done for security reasons.
When I have a babel block like

#+BEGIN_SRC clojure
(str "foo" "bar")
#+END_SRC

babashka has to be called with

bb -e "(str \"foo\" \"bar\")"

Enough shell constructs may be interpreted by shell inside double quotesbefore result is passed to bb. I mentioned execution of code insidebackticks, variable substitutions are mostly undesired as well. I do notthink, users should escape "$" inside source blocks just because youchose incomplete escaping of shell specials.


The following source block must not execute echo and touch

#+begin_src clojure
  (str "`echo $HOME`" "`touch /tmp/pwned`")
#+end_src

Shell should not be used to launch any command unless it is reallynecessary. Arguments should be passed directly to execve(2) system callas an array. Combining them into string to pass through shellinterpreter to parse into argument array again is error prone.

Unfortunately Emacs API related to execution of external processes isawkward. In this particular case it encourages usage of the unsafefunction since there is no convenient helper that accepts binary and*list* of arguments and returns output as a string.

So more verbose code is required to invoke bb without intermediateinterpretation of content of argument string. In my opinion it is betterthan using of more reliable and tested function to escape shell specials.

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] ob-clojure.el: Add support for babashka and nbb backend, Daniel Kraus, 2021/11/14
- Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend, Max Nikulin, 2021/11/14
  - Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend, Daniel Kraus, 2021/11/14
    - Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend, Max Nikulin <=
    - Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend, Daniel Kraus, 2021/11/15
    - Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend, Max Nikulin, 2021/11/17
    - Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend, Daniel Kraus, 2021/11/20

Prev by Date: [SOLVED] (was: [downgrading to matlab 2019a and using 3.5 NOW does not work neither])
Next by Date: Re: [SOLVED] (was: [downgrading to matlab 2019a and using 3.5 NOW does not work neither])
Previous by thread: Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
Next by thread: Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
Index(es):
- Date
- Thread