-
-
Notifications
You must be signed in to change notification settings - Fork 162
Shell Security Problems
TODO: Link to good resources on the web.
-
rm -f *
-- a file named '-r' can be interpreted as a flag -
globbing happens after variable expansion. code as data
-
escaping from generating programs (shell, HTML, what else?)
-
bash shellshock: this was storing code in environment variables. code as data is an anti-pattern.
-
Critical security updates for Git, Subversion and Mercurial -- A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option.
-
Busybox Shell Autocompletion Vulnerability
- Busybox has code to check for escape sequences and replace them.
- when using the shell’s autocompletion feature, the filename was not sanitized.
- Its smartness around find. e.g.: find .... -exec sh -c 'foo {}' ... gets suggested to be corrected to find ... -exec sh -c 'foo "$1' -- {}
TODO: Construct an example like this that's a security problem?
Motivation for Oil: get rid of pedantic style. The simple code should be correct, not be riddled with subtle bugs.
ShellCheck enforces pedantic style. Modernish developers a new pedantic style.
- double quote everything (except it's not necessary for RHS of assignment)
- add -- after everything, e.g.
cd -- $dir
notcd $dir
. Except echo and others which don't support it.