bug#48676: Arbitrary code execution in Org export macros

bug#48676: Arbitrary code execution in Org export macros

[Glenn Morris]

Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security

emacs -Q hello.org, where hello.org contains:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}

Then:
M-x org-export-dispatch
t A

-> now /tmp/HELLO exist, with no prompting.

This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).

bug#48676: Arbitrary code execution in Org export macros

[Timothy]

Thanks for reporting this.

Glenn Morris <rgm@gnu.org> writes:

> This seems contrary to normal Emacs practice for risky local variables,

Hmm, correct me if I'm wrong but the issue with risky local variables is
that they affect Emacs before the user sees them in the file? If this is
an important distinction, it means this particular type of concern does
not apply to Org #+macro statements, as they are not executed when the
user opens the file.

That said, if one were making say an automated Org file exporter or
something, I could see this being problematic. Perhaps a var set to
allow macros by default could be a good idea.

> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

Looks like this should be updated regardless of the above.

--
Timothy

bug#48676: Arbitrary code execution in Org export macros

[Tom Gillespie]

Hi Glenn,
     The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.

That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.

For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t
Best,
Tom

bug#48676: Arbitrary code execution in Org export macros

[Greg Minshall]

Glenn,

thanks for the report.

i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation.  i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).

cheers, Greg

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
> 
> emacs -Q hello.org, where hello.org contains:
> 
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
> 
> Then:
> M-x org-export-dispatch
> t A
> 
> -> now /tmp/HELLO exist, with no prompting.
> 
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

bug#48676: Arbitrary code execution in Org export macros

[Rafael Ramirez Morales]

[-- Attachment #1: Type: text/plain, Size: 750 bytes --]

Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>

[-- Attachment #2: Type: text/html, Size: 1370 bytes --]

bug#48676: Arbitrary code execution in Org export macros

[Mike Kupfer]

I just verified that this issue is still present in Emacs master
(4ae315f7c3).

mike