Giter VIP home page Giter VIP logo

Comments (5)

maowtm avatar maowtm commented on May 18, 2024

Relevant crate: https://github.com/sfackler/shell-escape

from modus.

mechtaev avatar mechtaev commented on May 18, 2024

I am still a bit concerned about the use of shell-escaping, because such tools do not provide any correctness guarantees. As a result, (1) the language semantics is not well-defined (we cannot guarantee that an arbitrary command will be executed the way it is typed), (2) we open opportunities for shell injection attacks.

I suggest to think more about what we can do to avoid these problems. For example, if there is a way to set envorinment variables, we can use cp "$SOURCE" "$DESTINATION" (although this will pollute the environment of the spawned shell process). We can consider also reading the arguments from temporary files, as passing them to using command substitution, e.g. cp "`cat /tmp/source.txt`" "`cat /tmp/destination.txt`".

from modus.

maowtm avatar maowtm commented on May 18, 2024

I thought about this as well, and I don't like relying on escaping either.

About the first approach - the only problem I can see is that there is a limit to the combined size of environment variables, although it is quite large (128 KB on Linux), but still nevertheless could cause problem if the user has a long "run" script, or if the parent image already contains tons of env vars.

I like the second approach a bit more (we are already using temporary mounts to implement copy so no problem just adding some temporary text files as well). Also polluting the file system feels a bit "better" than polluting env vars.

As to shell injection attacks - all these scripts are run inside the container it's building, and if you want to inject some shell commands you could already just use run normally.

from modus.

mechtaev avatar mechtaev commented on May 18, 2024

@maowtm, ok, your plan sounds good.

Regarding shell injection, imagine the following situation: a user of Modus wrote a Modusfile that accepts a file path as an argument of an image predicate. The user exposes this argument through a web service, accepting untrusted inputs under the assumption that file paths inside their container are all safe. If we use the shell escaping approach, this will make the service vulnerable to shell injection.

from modus.

maowtm avatar maowtm commented on May 18, 2024

(shell escape initially)

from modus.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.