[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend
From: |
Daniel Kraus |
Subject: |
Re: [PATCH] ob-clojure.el: Add support for babashka and nbb backend |
Date: |
Sun, 14 Nov 2021 17:30:43 +0100 |
Hi!
Max Nikulin <manikulin@gmail.com> writes:
> On 14/11/2021 22:28, Daniel Kraus wrote:
>> +(defun ob-clojure-escape-quotes (str-val)
>> + "Escape quotes for STR-VAL."
>> + (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL))
>> +
>> +(defun ob-clojure-eval-with-babashka (bb expanded)
>> + "Evaluate EXPANDED code block using BB (babashka or nbb)."
>> + (let ((escaped (ob-clojure-escape-quotes expanded)))
>> + (shell-command-to-string
>> + (concat bb " -e \"" escaped "\""))))
>
> Does not it an open door for security vulnerabilities? Consider a string
> somewhere in the code: "`echo arbitrary code execution`". Only outer quotes
> are
> escaped.
The escaping is not done for security reasons.
When I have a babel block like
#+BEGIN_SRC clojure
(str "foo" "bar")
#+END_SRC
babashka has to be called with
bb -e "(str \"foo\" \"bar\")"
etc.
Security wise someone should always be careful what he
evaluates in an org-babel block.
Nobody prevents you from evaluating
#+BEGIN_SRC shell
sudo rm -rf /
#+END_SRC
Cheers,
Daniel