[aur-dev] {SPAM 01.6} Re: Safe and relatively reliable PKGBUILD parser.

Jim Pryor lists+aur-dev at jimpryor.net
Tue Jan 12 08:51:37 EST 2010 

On Tue, Jan 12, 2010 at 02:20:36PM +0100, Xyne wrote:
> > I was brainstorming to think of possible exploits. It looks like this is
> > valid syntax:
> > 
> > echo normal stuff
> > exit 0
> > any funky stuff I want
> > pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff {
> > 
> > Running bash -n on that gives 0. Now there's not necessarily anything
> > wrong here---unless your parser doesn't stop parsing at the exit command.
> > If it goes past that, then maybe exploits could be introduced, because
> > we wouldn't be entitled to the assumption that the rest of the code is
> > valid syntax.
> 
> I haven't tested that but I don't think it would be an issue. As long
> as it doesn't break out of the function declaration, it shoulld work
> and afaik, you can include "exit" inside a function. I'm not a Bash
> expert though, so correct me if I'm wrong.

Yes, there's not necessarily a problem here. The wrapper function you
construct would be syntactically valid and would execute fine. (It would
exit whatever shell it's executed in.)

I mention it to point out that you have to be careful regexping through
the source (even the Bash-canonically-formatted source) of a function
that Bash says is syntactically valid. There may be parts of that source
that you assume to be valid Bash but which aren't, because they come
after an exit. There may be other ways to do this too, e.g., with an
exec.

E.g.:

TESTFILE=$(cat <<"EOF"
echo normal stuff
exit 0
any funky stuff I want
pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff {
EOF
)
WRAPPED=$'wrapper() {\n'"$TESTFILE"$'\n}'
bash -n <<< "$WRAPPED"
echo $? # prints 0
bash <<< "$WRAPPED"$'\ntype wrapper'

prints:
=======
wrapper is a function
wrapper ()
{
    echo normal stuff;
    exit 0;
    any funky stuff I want;
    pkgver=#$#%$%%^ & ^$@#$$@^ } more funky stuff {
}

The garbage comes out in the output of `set` too, as well as `type
wrapper`.

Now if you try regexping that, without truly parsing it, you may if
you're not careful find yourself processing the garbage at the end.
That may make exploits possible.

I like the approach you're using, but this loophole occurred to me and I
thought you should know about it. You'll have to decide whether it's
worth protecting against.

But that makes salient the question of what advantage you're aiming to
get by what you're doing rather than just checking the PKGBUILD with bash -n and if
that works, sourcing it with some appended echos to print out the
variables we're interested in.

One possible advantage would be to protect against malicious
stuff. If that's your aim, then you should be protecting against exploits
like this may make possible.

-- 
Jim Pryor
profjim at jimpryor.net

More information about the aur-dev mailing list