Disallow more characters in arguments for internal cmd
commands
#13009
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Makes
run-external
error if arguments tocmd.exe
internal commands contain newlines or a percent sign. This is because the percent sign can expand environment variables, potentially? allowing command injection. Newlines I think will truncate the rest of the arguments and should probably be disallowed to be safe.After Submitting
cmd.exe
directly, then this bypasses our handling/checking for internalcmd
commands. Instead, we use the handling from the Rust std lib which, in this case, does not do special handling and is potentially unsafe. Then again, it could be the user's specific intention to runcmd
with whatever trusted input. The problem is that since we use the std lib handling, it assumes the exe uses the C runtime escaping rules and will perform some unwanted escaping. E.g., it will add backslashes to the quotes incmd echo /c '""'
.cmd
is called indirectly via a.bat
or.cmd
file, then we use the Rust std lib which has separate handling for bat files that should be safe, but will reject some inputs.I'm not sure how we handleIt looks like we use thePATHEXT
, that can also cause a file without an extension to be run as a bat file. If so, I don't know where the handling, if any, is done for that.which
crate to do the lookup usingPATHEXT
. Then, we pass the exe path from that to the Rust std libCommand
, which should be safe (except for the firstcmd.exe
note).So, in the future we need to unify and/or fix these different implementations, including our own special handling for internal
cmd
commands that this PR tries to fix.