make parameter passing to shell scripts secure

[JensLincke]

Is there an accepted general way to pass parameters to the scripts securely? I just stripping our ' enough?

  var repository = req.headers["gitrepository"]
      var msg = req.headers["gitcommitmessage"].replace(/'/g,"")
      // # TODO...
      var cmd = 'cd ' + repository + "; git commit -m '"+ msg +"' -a "

[JensLincke]

@timfel @fniephaus

[fniephaus]

In this example, I'd make sure that repository can only be a valid path/directory (allowed chars are [a-z]/.~) and msg can only be a normal text without special characters. In the above code, I could set gitrepository to e.g. ~/; sudo whoami, I'm sure I could find something similar for gitcommitmessage.

[jgraichen]

Good programming languages usually have something like exec(exe, *args). A fork/exec call that is not spawning a shell but directly invoking the executable (git) and passing args as the usual argv array in main(char* argv).

As there is no shell involved the is not "command parsing", "string escaping" etc.

[jgraichen]

https://nodejs.org/api/child_process.html

[fniephaus]

@jgraichen but that still would be exploitable if not used very carefully, right?

[jgraichen]

No. Something like exec('git', 'commit', '-m', params["message"]) would always pass the param as the message string to git. That is only exploitable if git itself has a sanitizing bug.

[fniephaus]

Passing the responsibility to the target command is probably a good idea here. And yes, it looks like exec has protection built in.

[JensLincke]

but.. since the target programming is a shell script that we wrote... e.g. lively4sync than we have to deal with the security ourselves there again.... some of the commands are not just direct calls to the git api.

[fniephaus]

Rewrite the shell script in JS? ;)

[JensLincke]

if it would have been easy to write in JS I would not have needed a shell script ;-)

[JensLincke]

but for some git commands, I see that this is the most secure option...

[fniephaus]

let's have a look at this next monday!

[JensLincke]

Tim sagt du sollst JETZT Wochenende machen....
Nicole ist doch da!

[fniephaus]

Tim ist d##f 😉 ...selber Wochenende!