Post · bonfire.cafe

Let's say I have a script:

 echo -n "$1" | some_bin "$2" "$3" -t "$4" -m "$5" -p "$6" -e 

I call this from my application using Erlang's ports, passing

 {spawn_executable, "sh"}, {args, ["myscript.sh", Arg1, Arg2, Arg3, ...]} 

Argument 1 (which goes to the echo) is user controlled, the others are not. How can a malicious user crack this? What kind of shenanigans can they do in the shell script? What do I need to do to avoid that?

(some_bin only takes input from stdin.)

#Erlang

Mikko Värri

@vmj@fosstodon.org replied · 4 days ago

@nicd
I take it that the script is more complex in reality. If not, would it be possible to execute the some_bin directly, and write to its stdin from erlang?

Nicd

@nicd@masto.ahlcode.fi replied · 4 days ago

@vmj It's really not, that's the whole script.

I could execute the binary from Erlang, but it's not possible to send EOF to the input from Erlang <https://github.com/erlang/otp/issues/4326>. So I can't send the input and then get the output, as the binary would never see that the input is closed.

Andrew Wippler

@andrew@this.wplr.rocks replied · 6 days ago

@nicd i think if you do checks on arg1 before sending to shell, you should be fine.

Andrew Wippler

@andrew@this.wplr.rocks replied · 6 days ago

@nicd You would check for pipes, directory traversal, and destructive behavior (rm, cp, curl, wget, etc.). Enclosing the arg in quotes does help some.

What kinds of things do you expect users to put in arg 1?

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.11 no JS en

Automatic federation enabled