-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parsing of script arguments can interpret a string starting with $ as variable name #11035
Comments
I don't want to create another issue so there is one other error with arg parsing I found, a string with backtick crashes the script, the same happens with single quotation mark (
|
To be honest I think the function |
This is a more serious issue than what it seems. You can achieve code execution by running As @MarikaChlebowska discovered, the command line arguments are actually parsed twice; first to Vec<String> in gather_commandline_args() where escape_for_script_arg() is used, then the Vec is joined to a string which is then evaluated directly in eval_source(). It seems the whole point of As an example for how this can be exploited, using
as a CGI script should be completely harmless, but this opens you up to remote code execution. Nu scripts are usually not exposed to the internet of course, but this can also be used for local privilege escalation. |
<!-- if this PR closes one or more issues, you can automatically link the PR with them by using one of the [*linking keywords*](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword), e.g. - this PR should close #xxxx - fixes #xxxx you can also mention related issues, PRs or discussions! --> # Description <!-- Thank you for improving Nushell. Please, check our [contributing guide](../CONTRIBUTING.md) and talk to the core team before making major changes. Description of your pull request goes here. **Provide examples and/or screenshots** if your changes affect the user experience. --> If there were brackets in a string argument of a script it was always interpreted as interpolation before the change. That lead to unexpected outputs of such scripts. After this change arguments which are not intended as interpolation (not starting with $) and containing brackets will have implicitly added backticks for correct interpretation in the scripts. This fixes #10908. To fix other issues mentioned in #11035 I changed the deparsing logic. Initially we added backticks for multi word variables and double quote if there was \ or " in the string. My change would add double quotes any time string starts with $ or contains any of character that might break parsing. The characters I identified are white space, (, ', `, ",and \. It's possible other characters should be added to this list. I tested this solution with few simple scripts using both stand alone arguments and flags and it seems to work but I would appreciate if someone with more experience checked it with some more unusual cases I missed. # User-Facing Changes <!-- List of all changes that impact the user experience here. This helps us keep track of breaking changes. --> Erroneous behaviour described in the issue will no longer happen. # Tests + Formatting <!-- Don't forget to add tests that cover your changes. Make sure you've run and fixed any issues with these commands: - `cargo fmt --all -- --check` to check standard code formatting (`cargo fmt --all` applies these changes) - `cargo clippy --workspace -- -D warnings -D clippy::unwrap_used` to check that you're using the standard code style - `cargo test --workspace` to check that all tests pass (on Windows make sure to [enable developer mode](https://learn.microsoft.com/en-us/windows/apps/get-started/developer-mode-features-and-debugging)) - `cargo run -- -c "use std testing; testing run-tests --path crates/nu-std"` to run the tests for the standard library > **Note** > from `nushell` you can also use the `toolkit` as follows > ```bash > use toolkit.nu # or use an `env_change` hook to activate it automatically > toolkit check pr > ``` --> Added tests for new formatting. # After Submitting <!-- If your PR had any user-facing changes, update [the documentation](https://github.com/nushell/nushell.github.io) after the PR is merged, if necessary. This will help us keep the docs up to date. -->
<!-- if this PR closes one or more issues, you can automatically link the PR with them by using one of the [*linking keywords*](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword), e.g. - this PR should close #xxxx - fixes #xxxx you can also mention related issues, PRs or discussions! --> # Description <!-- Thank you for improving Nushell. Please, check our [contributing guide](../CONTRIBUTING.md) and talk to the core team before making major changes. Description of your pull request goes here. **Provide examples and/or screenshots** if your changes affect the user experience. --> If there were brackets in a string argument of a script it was always interpreted as interpolation before the change. That lead to unexpected outputs of such scripts. After this change arguments which are not intended as interpolation (not starting with $) and containing brackets will have implicitly added backticks for correct interpretation in the scripts. This fixes nushell#10908. To fix other issues mentioned in nushell#11035 I changed the deparsing logic. Initially we added backticks for multi word variables and double quote if there was \ or " in the string. My change would add double quotes any time string starts with $ or contains any of character that might break parsing. The characters I identified are white space, (, ', `, ",and \. It's possible other characters should be added to this list. I tested this solution with few simple scripts using both stand alone arguments and flags and it seems to work but I would appreciate if someone with more experience checked it with some more unusual cases I missed. # User-Facing Changes <!-- List of all changes that impact the user experience here. This helps us keep track of breaking changes. --> Erroneous behaviour described in the issue will no longer happen. # Tests + Formatting <!-- Don't forget to add tests that cover your changes. Make sure you've run and fixed any issues with these commands: - `cargo fmt --all -- --check` to check standard code formatting (`cargo fmt --all` applies these changes) - `cargo clippy --workspace -- -D warnings -D clippy::unwrap_used` to check that you're using the standard code style - `cargo test --workspace` to check that all tests pass (on Windows make sure to [enable developer mode](https://learn.microsoft.com/en-us/windows/apps/get-started/developer-mode-features-and-debugging)) - `cargo run -- -c "use std testing; testing run-tests --path crates/nu-std"` to run the tests for the standard library > **Note** > from `nushell` you can also use the `toolkit` as follows > ```bash > use toolkit.nu # or use an `env_change` hook to activate it automatically > toolkit check pr > ``` --> Added tests for new formatting. # After Submitting <!-- If your PR had any user-facing changes, update [the documentation](https://github.com/nushell/nushell.github.io) after the PR is merged, if necessary. This will help us keep the docs up to date. -->
Describe the bug
While working on PR (#11030) I've noticed some different edge cases with script argument parsing. Using the script from the issue I worked on (#10908) with an argument that starts with $ leads to interpreting it as a variable name.
As a clue where to look at I debugged it a little bit and the script arguments go through parsing process 2 times. First they are parsed, then
escape_for_script_arg
is called and they're parsed again. When the second parsing process begins quotation marks are stripped already so it's reinterpreted as if it was passed without them if I understand the logic there correctly.How to reproduce
echo.nu
script:Expected behavior
With give input
$foo
should be printed.Screenshots
No response
Configuration
Additional context
No response
The text was updated successfully, but these errors were encountered: