Security risk (?): Backticks in descriptions are attempted to eval!
Enrico2 opened this issue · 3 comments
We had a description defined like this with backticks:
description = "Runs dbmigrator --migrate on database started by `run-db-local` (eg via `:db:local:run`)."
Then in bash, I did
gradle :db:migrations[tab]
and saw:
$ gradle :db:migrations:-bash: run-db-local: command not found
-bash: :db:local:run: command not found
-bash: run-db-local: command not found
-bash: :db:local:run: command not found
Seems like this could be some attack vector, where a description could contain some malicious bash command.
Could the problem be here?
gradle-completion/gradle-completion.bash
Lines 204 to 208 in 5c863bf
IIUC that filters text like
assemble - Assembles the outputs of this project.
bar:assemble - Assembles the outputs of this project.
:bar:assemble - Assembles the outputs of this project.
foo:assemble - Assembles the outputs of this project.
:foo:assemble - Assembles the outputs of this project
by prefix. Since it does
$( grep ... )
instead of
"$( grep ... )"
expansion may evaluate shell meta-characters.
My bash is kind of weak right now though.
Ahhh I see these things in my prompt for month now and I finally figured out this.
The gradle plugin for building IntelliJ plugin have multiple tasks that includes backticks so I get this
./gradlew -bash: robot-server: command not found
-bash: robot-server: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
It comes from the following tasks descriptions
downloadRobotServerPlugin - Download
robot-server
plugin.
and
patchPluginXml - Patches
plugin.xml
files with values provided to the task.