Arbitrary commands leads to security threats #6
Comments
FauconFan
added
help wanted
|
One possible solution would be to pipe each cmdcall through a separate checkprocess which has to be implemented separatly (by an administrator) prior to the cmdcall itself. That process could return the command unaltered, modified or as blank (which means cmd_blocked), or could be responsible for calling the cmd completely by itself. In other words: One level of indirection would eventually help. That would be a generic and flexible solution, and, provided the user cannot find a way to compromise such a checkprogram, secure. Ideally the checkprogram can be implemented in any language, reading its parms from stdin and writing results to stdout which is piped back from mdbook-cmdrun to the markdown-file. The checks that such program could take to verify the cmd is allowed or not are arbitrary and just have to be implemented. Optionally, you can deliver a |
|
Your solution can be implemented for each mdbook separately, and implementing such a solution for mdbook would lead to breaking changes and an opiniated approach (maybe a fork...). I'll put a huge disclaimer in the README, but after some thoughts, I am not sure than we can "fix" this issue directly within the repo, as arbitrary commands can be run... I'll close this for now |
As Stated by @Hoffenbar in #3, one could put any arbitrary commands in its mdbook that could mess up the reader, for example:
rm -rf /. This is a huge security issue that I don't have time to solve for now.Before solving this, it would be nice to have a discussion about how to solve this.
As I can see it, there are multiple non-perfect solutions:
The text was updated successfully, but these errors were encountered: