On 13/08/2023 14:52, Ihor Radchenko wrote:
What do you think about creating a new API to built shell commands and
then using it across all the babel backends?

I support the idea in general, but not its particular implementation as `org-make-shell-command' in your patch.

It does not address the issue I raised.

#+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)")
  select 1
#+end_src

still executes a shell command without user prompt. Moreover for org-babel such value does not look like as something that may be evaluated, it is just a list. So the proposed syntax is more explicit (and I like it), but it does not prevent unsolicited execution of shell command.

I would consider some way to specify whether COMMAND should be quoted as well. Path to an executable may contain a space or other special character at least for some shells. On the other hand it is more usual case to specify some arguments to the command.

I am unsure if a note should be added to the `org-fill-template' docstring that the function should not be used for building shell commands.


Reply via email to