Shell Security Problems

TODO: Link to good resources on the web.

• rm -f * -- a file named '-r' can be interpreted as a flag

• globbing happens after variable expansion. code as data

• escaping from generating programs (shell, HTML, what else?)

• bash shellshock: this was storing code in environment variables. code as data is an anti-pattern.

Examples

• Untrusted git branch name in prompt

• Critical security updates for Git, Subversion and Mercurial -- A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option.

• Busybox Shell Autocompletion Vulnerability

  • Busybox has code to check for escape sequences and replace them.
  • when using the shell’s autocompletion feature, the filename was not sanitized.

String Hygiene Problems

https://www.reddit.com/r/oilshell/comments/7fjl5t/any_idea_on_the_completeness_of_shellchecks_parser/

2. Its smartness around find. e.g.: find .... -exec sh -c 'foo {}' ... gets suggested to be corrected to find ... -exec sh -c 'foo "$1' -- {}

TODO: Construct an example like this that's a security problem?

Pedantic Style

Motivation for Oil: get rid of pedantic style. The simple code should be correct, not be riddled with subtle bugs.

ShellCheck enforces pedantic style. Modernish developers a new pedantic style.

• double quote everything (except it's not necessary for RHS of assignment)
• add -- after everything, e.g. cd -- $dir not cd $dir. Except echo and others which don't support it.