Hi Paul, On Thu, Oct 30, 2025 at 10:55:28AM -0600, Paul Eggert wrote: > On 10/30/25 09:11, Alejandro Colomar via Bug reports for GNU grep wrote: > > > ... | xargs bash -c "grep $regex ; [[ \$? -le 1 ]]' > > > > > > and it runs grep no more times than "xargs grep" will. > > The problem with something based on > > > > ... | xargs bash -c ... > > > > is that it would make it easy to inject commands in the bash script with > > malicioulsy crafted files, right? > > If an attacker controls the regex you're already in trouble, because the > regex can be arbitrarily slow.
I'm not too worried about DoS. I was worried about remote code
execution. As in, I'll try to search for something in an arbitrary
directory, possibly controlled by a malicious actor, and file names or
contents could result in giving them control of my computer.
> That being said, to avoid the regex being interpreted as shell code, you can
> use something like this:
>
> xargs sh -c 'grep -e "$0" -- "$@"; [ $? -le 1 ]' "$regex"
Hmmm, it seems like what I want. Testing seems to work:
alx@devuan:~/tmp$ cat script
#!/bin/bash
set -Eeuo pipefail
echo foo bar baz | xargs sh -c 'echo "$0" -- "$@"; test $? -le 1;'
"regex";
alx@devuan:~/tmp$ ./script
regex -- foo bar baz
>
> Admittedly a bit awkward, but it works now and it's portable to any POSIX
> platform.
This sounds quite robust; thanks!
> If this awkwardness is to be simplified it should be a patch to GNU xargs
> not to grep, as programs like diff and cmp behave like grep and it's not
> reasonable to add options to them all merely to work around an xargs
> awkwardness.
Makes sense; thanks! But I think I like your approach above; I don't
need simplifying it.
Have a lovely night!
Alex
--
<https://www.alejandro-colomar.es>
Use port 80 (that is, <...:80/>).
signature.asc
Description: PGP signature
