On 13/08/2023 14:52, Ihor Radchenko wrote:
What do you think about creating a new API to built shell commands and
then using it across all the babel backends?
I support the idea in general, but not its particular implementation as
`org-make-shell-command' in your patch.
It does not address the issue I raised.
#+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date
>/tmp/ob-sqlite-vuln.log)")
select 1
#+end_src
still executes a shell command without user prompt. Moreover for
org-babel such value does not look like as something that may be
evaluated, it is just a list. So the proposed syntax is more explicit
(and I like it), but it does not prevent unsolicited execution of shell
command.
I would consider some way to specify whether COMMAND should be quoted as
well. Path to an executable may contain a space or other special
character at least for some shells. On the other hand it is more usual
case to specify some arguments to the command.
I am unsure if a note should be added to the `org-fill-template'
docstring that the function should not be used for building shell commands.