Unexpected launch of programs
ChillerDragon opened this issue · 10 comments
Code editor
neovim
Platform
Unix
Version
What steps will reproduce the bug?
Setup neovim with kickstart and add the following line to the init.lua
require('lspconfig').bashls.setup {}
How often does it reproduce? Is there a required condition?
Every time. The condition is assigning a variable value to a program that is in PATH that ignores the --help flag and just launches.
What is the expected behavior?
Not boot any application when requesting the list of auto completions.
What do you see instead?
A Qt/SDL application booting when I type in neovim with bash-lsp active.
Additional information
teeworlds_mentioned.mp4
The problem seems to have been introduced in #1052
I have encountered the same problem. Is there any workaround so far?
I have encountered the same problem. Is there any workaround so far?
I use the following workaround ChillerDragon@70bb028
This is a REALLY bad idea. Executing arbitrary code just because it's in $PATH is terrible, especially for shell scripters like me, where I actually have a script called killer that when executed with any non--d argument, like --help, it will kill every process on the system.
I don't want to worry about that issue when autocompleting. This needs to be either removed, or sandboxed with a tool like bubblewrap or seccomp, although these depend on a linux platform.
I don't want to worry about that issue when autocompleting. This needs to be either removed, or sandboxed with a tool like bubblewrap or seccomp, although these depend on a linux platform.
I am not sure if the man page is also problematic man -P cat ${word} | col -bx but I like the idea of a sandbox just to be sure. Or maybe the man page version could read the man page file on disk directly instead of launching a shell command with user input from the completion.
Is running man and col safe on every system? Is providing word as non quoted, non escaped argument safe with all possible inputs? I assume that all possible values for "word" get interpreted as string when passed as bash argument. But it still looks spooky.
Is providing word as non quoted, non escaped argument safe with all possible inputs?
When you try to add special characters, the autocomplete at least in neovim does not continue working, even when escaped with quotes or backslashes. ${word} in the code might already be syntactically sound, but I don't know.
So to ensure everything is escaped, the shell command should be run like this:
sh -c 'man -P cat "$1" | col -bx' sh "$word"So that argv[0] = "sh" and argv[1] = word, and the "$1" properly escapes all characters of argv[1] in the shell's context.
I don't know how to write the equivalent in JS.
I like the idea of a sandbox just to be sure.
For sandboxing, i suspect that the simplest method for Linux systems is seccomp, where you can limit syscalls to only allow writing to stdout/stderr. But I've never played with it so I don't know the details.
Additionally, programs may never use syscalls, but waste CPU forever, so it would be best to put a short timeout on commands and then kill -9 them.
To use bubblewrap, you could use a command like:
bwrap \
--unshare-all \
--die-with-parent \
--new-session \
--ro-bind "/usr/bin/$word" "/usr/bin/$word" \
--ro-bind /usr /usr \
--symlink lib /usr/lib64 \
--symlink /usr/lib /lib64 \
--symlink /usr/lib /lib \
--symlink /usr/bin /bin \
--symlink /usr/bin /sbin \
--tmpfs /tmp \
--tmpfs /run \
--proc /proc \
--dev /dev \
"$word" --helpTo ensure maximum functionality as well as safety. But there will also be binaries outside of /bin, so you could script a way to add binds from $PATH. And of course programs inside the bubblewrap can still abuse CPU and stuff, so make sure to keep the timeout mentioned above.
And we can't ignore that some programs use -h instead of --help, use -?, use neither, use one but not the others, only print help when improper usage is detected, etc. This feature is so messy that we should really just stick to manpages, the standard system-wide documentation.
Is running man and col safe on every system?
Afaik, it is. But if escape characters are a potential issue as-is, the man command should either be remade like mine, or not use a sh wrapper at all, and pipe man output to col using some JS function.
is there any fix yet?
I have the same issue
