Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)

unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed

From: Daniel Barlow <dan@telent.net>
To: notmuch@notmuchmail.org
Subject: Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)
Date: Wed, 05 Sep 2018 09:26:35 +0100	[thread overview]
Message-ID: <874lf41hac.fsf@telent.net> (raw)

I'm writing yet another notmuch web client: this one with a focus on
mobile, because it's great having email in emacs when I'm home or at my
desk but it turns out I actually do most of my email from my phone.

The structure is

* a very small web server that invokes notmuch with --format=json in
  response to 

* a "single page" clojurescript web app (re-frame/reagent/react)

* an ssh tunnel joining the two

There are a number of ways this is currently insecure but the particular
one I want to ask about today is running the notmuch cli commands with
user-supplied arguments and whether there are any particular gotchas in
doing so?  I am reasonably sure that my code to invoke notmuch(1) is
calling execve(2) without invoking /bin/sh or the equivalent [*], but
are there ways, for example, that passing a weirdly formed thread-id to
["notmuch", "show", thread-id] could cause it to invoke a subshell or
delete the database or something else unexpected?  I did look briefly at
using libnotmuch directly, but the JSON output format is oh *so*
convenient and I'd be entirely happy not to have to reinvent it.

[*] in Java, Runtime.exec(String[] cmdarray)

If you speak Clojure, what I'm currently doing is
https://github.com/telent/epsilon/blob/master/src/epsilon/server.clj#L27

and you can see screenshots of the WIP at 
https://github.com/telent/epsilon/blob/master/README.md

Feedback welcome

-dan

next             reply	other threads:[~2018-09-05  8:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-05  8:26 Daniel Barlow [this message]
2018-09-06 19:12 ` Any tips on invoking notmuch cli securely? (pre-ANN yet another web client) David Bremner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://notmuchmail.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874lf41hac.fsf@telent.net \
    --to=dan@telent.net \
    --cc=notmuch@notmuchmail.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).