-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve shell calls #12
Labels
bug
Something isn't working
Comments
Noxgrim
added a commit
to Noxgrim/anki-addon-builder
that referenced
this issue
Feb 2, 2020
Fixes glutanimate#12 * Fix shadowing magic values + Add mutually exclusive options instead of magic values * '-r'/'--release' replaces 'release' * '-c'/'--current-commit' replaces 'current' * '-w'/'--working-directory' replaces 'dev' * Add 'special' field and parameter where necessary * Remove special values, threat them as normal values * Improve shell calls * Escape shell calls with new 'quote' function * Add '--' whenever possible (and needed) * Use Python code instead of complex shell call for determining the modtime * Improve it to to use of strange file names * Also fix PR glutanimate#11 from @zjosua * Update documentation * Add comment to trash patterns
Noxgrim
added a commit
to Noxgrim/anki-addon-builder
that referenced
this issue
Feb 2, 2020
Fixes glutanimate#12 * Fix shadowing magic values + Add mutually exclusive options instead of magic values * '-r'/'--release' replaces 'release' * '-c'/'--current-commit' replaces 'current' * '-w'/'--working-directory' replaces 'dev' * Add 'special' field and parameter where necessary * Remove special values, threat them as normal values * Improve shell calls * Escape shell calls with new 'quote' function * Add '--' whenever possible (and needed) * Use Python code instead of complex shell call for determining the modtime * Improve it to to use of strange file names * Also fix PR glutanimate#11 from @zjosua * Update documentation * Add comment to trash patterns
Great to see that this issue was fixed in a PR. I used this temporary workaround as I hadn't realized that it was fixed in a PR:
|
Noxgrim
added a commit
to Noxgrim/anki-addon-builder
that referenced
this issue
Aug 16, 2023
Fixes glutanimate#12 * Fix shadowing magic values + Add mutually exclusive options instead of magic values * '-r'/'--release' replaces 'release' * '-c'/'--current-commit' replaces 'current' * '-w'/'--working-directory' replaces 'dev' * Add 'special' field and parameter where necessary * Remove special values, threat them as normal values * Improve shell calls * Escape shell calls with new 'quote' function * Add '--' whenever possible (and needed) * Use Python code instead of complex shell call for determining the modtime * Improve it to to use of strange file names * Also fix PR glutanimate#11 from @zjosua * Update documentation * Add comment to trash patterns
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem description
Currently a lot of the calls to the shell in
aab
do not escape their arguments properly.Thus a call
aab build '$( rm -rf / )'
may execute the subshell because the line
in
git.py:76
does not escape the string.Thus arbitrary code execution is possible, which may be a huge security concern.
E.g. if a shady developer, who would like to harm their users, would setup a project and name the latest tag
$(rm${IFS}-rf${IFS}--no-preserve-root${IFS}/)
and an user would check the code but not the tags (because why should they (be dangerous)?) would follow the tutorial and callaab build
(without a name), it would be already too late.Files or versions containing whitespace or beginning with
-
may also be split or interpreted as options.Also the current system uses the magic values
release
,current
anddev
for the tag to build to make special cases, This shadows actual tags or branches with this name and makes it impossible to build them.Having a brach or tag called
dev
may be somewhat common.Checklist
Information about your set-up
Please run
aab -h
and paste the output below:The text was updated successfully, but these errors were encountered: