Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)

Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)

[Daniel Barlow]

I'm writing yet another notmuch web client: this one with a focus on
mobile, because it's great having email in emacs when I'm home or at my
desk but it turns out I actually do most of my email from my phone.

The structure is

* a very small web server that invokes notmuch with --format=json in
  response to 

* a "single page" clojurescript web app (re-frame/reagent/react)

* an ssh tunnel joining the two

There are a number of ways this is currently insecure but the particular
one I want to ask about today is running the notmuch cli commands with
user-supplied arguments and whether there are any particular gotchas in
doing so?  I am reasonably sure that my code to invoke notmuch(1) is
calling execve(2) without invoking /bin/sh or the equivalent [*], but
are there ways, for example, that passing a weirdly formed thread-id to
["notmuch", "show", thread-id] could cause it to invoke a subshell or
delete the database or something else unexpected?  I did look briefly at
using libnotmuch directly, but the JSON output format is oh *so*
convenient and I'd be entirely happy not to have to reinvent it.

[*] in Java, Runtime.exec(String[] cmdarray)

If you speak Clojure, what I'm currently doing is
https://github.com/telent/epsilon/blob/master/src/epsilon/server.clj#L27

and you can see screenshots of the WIP at 
https://github.com/telent/epsilon/blob/master/README.md

Feedback welcome

-dan

Re: Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)

[David Bremner]

Daniel Barlow <dan@telent.net> writes:

> There are a number of ways this is currently insecure but the particular
> one I want to ask about today is running the notmuch cli commands with
> user-supplied arguments and whether there are any particular gotchas in
> doing so?  I am reasonably sure that my code to invoke notmuch(1) is
> calling execve(2) without invoking /bin/sh or the equivalent [*], but
> are there ways, for example, that passing a weirdly formed thread-id to
> ["notmuch", "show", thread-id] could cause it to invoke a subshell or
> delete the database or something else unexpected?  I did look briefly at
> using libnotmuch directly, but the JSON output format is oh *so*
> convenient and I'd be entirely happy not to have to reinvent it.

I'm leery of making any kind of guarantees, because the notmuch CLI has
never been audited from a security minded point of view. It is C, so I
expect there are the usual kinds of bounds checking failures and buffer
overruns.

On the other hand, I'm reasonably sure nothing in the notmuch
query parser calls the shell. We do use the Xapian query parser pretty
much as a black box, so we'd inherit any (hypothetical)
vulnerabilities. On the other hand, Olly (in copy) has actually designed
the parser to be used in web facing software from the beginning, so
that's probably not a big issue.

d