From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 16CDF6DE0B27 for ; Wed, 5 Sep 2018 01:35:07 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TH3MaUEG4ytd for ; Wed, 5 Sep 2018 01:35:05 -0700 (PDT) X-Greylist: delayed 504 seconds by postgrey-1.36 at arlo; Wed, 05 Sep 2018 01:35:05 PDT Received: from mail.telent.net (vritual.default.dbarlow.uk0.bigv.io [46.43.1.214]) by arlo.cworth.org (Postfix) with ESMTPS id A645D6DE0B14 for ; Wed, 5 Sep 2018 01:35:05 -0700 (PDT) Received: from carobn.telent.net (unknown [89.197.142.106]) by mail.telent.net (Postfix) with ESMTPSA id A41F02147F; Wed, 5 Sep 2018 08:26:35 +0000 (UTC) From: Daniel Barlow To: notmuch@notmuchmail.org Subject: Any tips on invoking notmuch cli securely? (pre-ANN yet another web client) Date: Wed, 05 Sep 2018 09:26:35 +0100 Message-ID: <874lf41hac.fsf@telent.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2018 08:35:07 -0000 I'm writing yet another notmuch web client: this one with a focus on mobile, because it's great having email in emacs when I'm home or at my desk but it turns out I actually do most of my email from my phone. The structure is * a very small web server that invokes notmuch with --format=json in response to * a "single page" clojurescript web app (re-frame/reagent/react) * an ssh tunnel joining the two There are a number of ways this is currently insecure but the particular one I want to ask about today is running the notmuch cli commands with user-supplied arguments and whether there are any particular gotchas in doing so? I am reasonably sure that my code to invoke notmuch(1) is calling execve(2) without invoking /bin/sh or the equivalent [*], but are there ways, for example, that passing a weirdly formed thread-id to ["notmuch", "show", thread-id] could cause it to invoke a subshell or delete the database or something else unexpected? I did look briefly at using libnotmuch directly, but the JSON output format is oh *so* convenient and I'd be entirely happy not to have to reinvent it. [*] in Java, Runtime.exec(String[] cmdarray) If you speak Clojure, what I'm currently doing is https://github.com/telent/epsilon/blob/master/src/epsilon/server.clj#L27 and you can see screenshots of the WIP at https://github.com/telent/epsilon/blob/master/README.md Feedback welcome -dan