From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 43ABC6DE00E6 for ; Thu, 6 Sep 2018 12:12:59 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: 0.002 X-Spam-Level: X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[AWL=0.013, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqCGUaoRzBw7 for ; Thu, 6 Sep 2018 12:12:58 -0700 (PDT) Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197]) by arlo.cworth.org (Postfix) with ESMTPS id 3A2316DE00D1 for ; Thu, 6 Sep 2018 12:12:58 -0700 (PDT) Received: from remotemail by fethera.tethera.net with local (Exim 4.89) (envelope-from ) id 1fxzi3-0007gT-A0; Thu, 06 Sep 2018 15:12:55 -0400 Received: (nullmailer pid 25996 invoked by uid 1000); Thu, 06 Sep 2018 19:12:54 -0000 From: David Bremner To: Daniel Barlow , notmuch@notmuchmail.org Cc: xapian-discuss@lists.xapian.org Subject: Re: Any tips on invoking notmuch cli securely? (pre-ANN yet another web client) In-Reply-To: <874lf41hac.fsf@telent.net> References: <874lf41hac.fsf@telent.net> X-List-To: notmuch Date: Thu, 06 Sep 2018 16:12:54 -0300 Message-ID: <877ejy4eyx.fsf@tethera.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2018 19:12:59 -0000 Daniel Barlow writes: > There are a number of ways this is currently insecure but the particular > one I want to ask about today is running the notmuch cli commands with > user-supplied arguments and whether there are any particular gotchas in > doing so? I am reasonably sure that my code to invoke notmuch(1) is > calling execve(2) without invoking /bin/sh or the equivalent [*], but > are there ways, for example, that passing a weirdly formed thread-id to > ["notmuch", "show", thread-id] could cause it to invoke a subshell or > delete the database or something else unexpected? I did look briefly at > using libnotmuch directly, but the JSON output format is oh *so* > convenient and I'd be entirely happy not to have to reinvent it. I'm leery of making any kind of guarantees, because the notmuch CLI has never been audited from a security minded point of view. It is C, so I expect there are the usual kinds of bounds checking failures and buffer overruns. On the other hand, I'm reasonably sure nothing in the notmuch query parser calls the shell. We do use the Xapian query parser pretty much as a black box, so we'd inherit any (hypothetical) vulnerabilities. On the other hand, Olly (in copy) has actually designed the parser to be used in web facing software from the beginning, so that's probably not a big issue. d