You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As Stated by @Hoffenbar in #3, one could put any arbitrary commands in its mdbook that could mess up the reader, for example: rm -rf /. This is a huge security issue that I don't have time to solve for now.
Before solving this, it would be nice to have a discussion about how to solve this.
As I can see it, there are multiple non-perfect solutions:
Whitelisting the commands manually
would still be an issue as we could de anything in Python, and one cannot ban Python
Manual reviewing every command
need a way to ask user to review command and force build to fail (maybe impossible)
The text was updated successfully, but these errors were encountered:
One possible solution would be to pipe each cmdcall through a separate checkprocess which has to be implemented separatly (by an administrator) prior to the cmdcall itself. That process could return the command unaltered, modified or as blank (which means cmd_blocked), or could be responsible for calling the cmd completely by itself. In other words: One level of indirection would eventually help. That would be a generic and flexible solution, and, provided the user cannot find a way to compromise such a checkprogram, secure. Ideally the checkprogram can be implemented in any language, reading its parms from stdin and writing results to stdout which is piped back from mdbook-cmdrun to the markdown-file. The checks that such program could take to verify the cmd is allowed or not are arbitrary and just have to be implemented. Optionally, you can deliver a mdbook-cmdrun-check.exe which does implement a null check (simply passing the cmd through as it is now). Just ideas.
Your solution can be implemented for each mdbook separately, and implementing such a solution for mdbook would lead to breaking changes and an opiniated approach (maybe a fork...).
I'll put a huge disclaimer in the README, but after some thoughts, I am not sure than we can "fix" this issue directly within the repo, as arbitrary commands can be run...
As Stated by @Hoffenbar in #3, one could put any arbitrary commands in its mdbook that could mess up the reader, for example:
rm -rf /
. This is a huge security issue that I don't have time to solve for now.Before solving this, it would be nice to have a discussion about how to solve this.
As I can see it, there are multiple non-perfect solutions:
The text was updated successfully, but these errors were encountered: