From c3b753bba4fe6b35c008b061c3a345868d1cc9e2 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Thu, 5 Jun 2025 21:35:34 -0500 Subject: [PATCH] Security: Explicitly define IFS to prevent misuse. The scripts are written with certain expectations. This expectation may not be properly met if the `IFS` value is changed. This can potentially be used to create some sort of exploit. Explicitly define IFS and then do so at a local variable scope to prevent affecting the callers IFS setting.` --- build/scripts/bootstrap-example.sh | 2 ++ build/scripts/bootstrap.sh | 3 ++- build/scripts/generate_codepoints_from_digits.sh | 2 ++ build/scripts/generate_ctags.sh | 3 ++- build/scripts/generate_unicode.sh | 2 ++ build/scripts/install.sh | 3 ++- build/scripts/package.sh | 3 ++- build/scripts/test.sh | 3 ++- level_3/fake/data/build/process_post.sh | 2 ++ level_3/fake/data/build/process_pre.sh | 2 ++ level_3/fake/data/projects/go/example_go/data/build/process_post.sh | 6 ++++++ level_3/fake/data/projects/go/example_go/data/build/process_pre.sh | 6 ++++++ level_3/fss_read/tests/runtime/script/generate.sh | 2 ++ level_3/fss_read/tests/runtime/script/verify.sh | 2 ++ level_3/iki_read/tests/runtime/script/generate.sh | 2 ++ level_3/iki_read/tests/runtime/script/verify.sh | 2 ++ 16 files changed, 40 insertions(+), 5 deletions(-) diff --git a/build/scripts/bootstrap-example.sh b/build/scripts/bootstrap-example.sh index d704449..c049419 100644 --- a/build/scripts/bootstrap-example.sh +++ b/build/scripts/bootstrap-example.sh @@ -42,6 +42,8 @@ # main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + if [[ ${SHELL_ENGINE} == "zsh" ]] ; then emulate ksh fi diff --git a/build/scripts/bootstrap.sh b/build/scripts/bootstrap.sh index aef0497..1e5562c 100644 --- a/build/scripts/bootstrap.sh +++ b/build/scripts/bootstrap.sh @@ -13,6 +13,7 @@ # bootstrap_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. if [[ ${SHELL_ENGINE} == "zsh" ]] ; then emulate ksh @@ -3035,4 +3036,4 @@ bootstrap_cleanup() { unset bootstrap_cleanup } -bootstrap_main $* +bootstrap_main ${*} diff --git a/build/scripts/generate_codepoints_from_digits.sh b/build/scripts/generate_codepoints_from_digits.sh index 1bc3410..fe7d3a4 100644 --- a/build/scripts/generate_codepoints_from_digits.sh +++ b/build/scripts/generate_codepoints_from_digits.sh @@ -9,6 +9,8 @@ # main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local -i first="$1" local -i last="$2" diff --git a/build/scripts/generate_ctags.sh b/build/scripts/generate_ctags.sh index a3d86b6..23467c9 100644 --- a/build/scripts/generate_ctags.sh +++ b/build/scripts/generate_ctags.sh @@ -10,6 +10,7 @@ # main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. if [[ ${SHELL_ENGINE} == "zsh" ]] ; then emulate ksh @@ -290,4 +291,4 @@ generate_ctags_cleanup() { unset generate_ctags_cleanup } -main $* +main ${*} diff --git a/build/scripts/generate_unicode.sh b/build/scripts/generate_unicode.sh index 9815ff1..b339669 100644 --- a/build/scripts/generate_unicode.sh +++ b/build/scripts/generate_unicode.sh @@ -11,6 +11,8 @@ # main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local file_input="codes.txt" local mode=$1 local code= diff --git a/build/scripts/install.sh b/build/scripts/install.sh index c8972d1..fb971b5 100644 --- a/build/scripts/install.sh +++ b/build/scripts/install.sh @@ -14,6 +14,7 @@ # install_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. if [[ ${SHELL_ENGINE} == "zsh" ]] ; then emulate ksh @@ -877,4 +878,4 @@ install_cleanup() { unset install_cleanup } -install_main $* +install_main ${*} diff --git a/build/scripts/package.sh b/build/scripts/package.sh index a87472d..fe89988 100644 --- a/build/scripts/package.sh +++ b/build/scripts/package.sh @@ -12,6 +12,7 @@ # package_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. if [[ ${SHELL_ENGINE} == "zsh" ]] ; then emulate ksh @@ -2438,4 +2439,4 @@ package_cleanup() { unset package_cleanup } -package_main $* +package_main ${*} diff --git a/build/scripts/test.sh b/build/scripts/test.sh index e835939..51ddbb0 100644 --- a/build/scripts/test.sh +++ b/build/scripts/test.sh @@ -14,6 +14,7 @@ # test_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. local shell_command=bash if [[ ${SHELL_ENGINE} == "zsh" ]] ; then @@ -1129,4 +1130,4 @@ test_cleanup() { unset test_cleanup } -test_main $* +test_main ${*} diff --git a/level_3/fake/data/build/process_post.sh b/level_3/fake/data/build/process_post.sh index 500d1d0..c00efa9 100755 --- a/level_3/fake/data/build/process_post.sh +++ b/level_3/fake/data/build/process_post.sh @@ -8,6 +8,8 @@ # The dependencies of this script are: bash and sed. # process_post_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local grab_next= local do_color=dark local i=0 diff --git a/level_3/fake/data/build/process_pre.sh b/level_3/fake/data/build/process_pre.sh index a7500c0..1f4c785 100755 --- a/level_3/fake/data/build/process_pre.sh +++ b/level_3/fake/data/build/process_pre.sh @@ -8,6 +8,8 @@ # The dependencies of this script are: bash and sed. # process_pre_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local grab_next= local do_color=dark local i=0 diff --git a/level_3/fake/data/projects/go/example_go/data/build/process_post.sh b/level_3/fake/data/projects/go/example_go/data/build/process_post.sh index 05a7907..a5fc4d8 100755 --- a/level_3/fake/data/projects/go/example_go/data/build/process_post.sh +++ b/level_3/fake/data/projects/go/example_go/data/build/process_post.sh @@ -1,2 +1,8 @@ #!/bin/bash +main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + +} + +main ${*} diff --git a/level_3/fake/data/projects/go/example_go/data/build/process_pre.sh b/level_3/fake/data/projects/go/example_go/data/build/process_pre.sh index 05a7907..a5fc4d8 100755 --- a/level_3/fake/data/projects/go/example_go/data/build/process_pre.sh +++ b/level_3/fake/data/projects/go/example_go/data/build/process_pre.sh @@ -1,2 +1,8 @@ #!/bin/bash +main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + +} + +main ${*} diff --git a/level_3/fss_read/tests/runtime/script/generate.sh b/level_3/fss_read/tests/runtime/script/generate.sh index 11c8479..d3543bb 100644 --- a/level_3/fss_read/tests/runtime/script/generate.sh +++ b/level_3/fss_read/tests/runtime/script/generate.sh @@ -11,6 +11,8 @@ # generate_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local file_source="${2}" local path_destination="${3}" local failure=0 diff --git a/level_3/fss_read/tests/runtime/script/verify.sh b/level_3/fss_read/tests/runtime/script/verify.sh index 64b9517..b6eb78c 100644 --- a/level_3/fss_read/tests/runtime/script/verify.sh +++ b/level_3/fss_read/tests/runtime/script/verify.sh @@ -10,6 +10,8 @@ # verify_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local path_build="${1}" local path_expect="${2}" local test_name="${3}" diff --git a/level_3/iki_read/tests/runtime/script/generate.sh b/level_3/iki_read/tests/runtime/script/generate.sh index 7138fbe..40dcc5d 100644 --- a/level_3/iki_read/tests/runtime/script/generate.sh +++ b/level_3/iki_read/tests/runtime/script/generate.sh @@ -11,6 +11,8 @@ # generate_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local file_source="${2}" local path_destination="${3}" local failure=0 diff --git a/level_3/iki_read/tests/runtime/script/verify.sh b/level_3/iki_read/tests/runtime/script/verify.sh index 64b9517..b6eb78c 100644 --- a/level_3/iki_read/tests/runtime/script/verify.sh +++ b/level_3/iki_read/tests/runtime/script/verify.sh @@ -10,6 +10,8 @@ # verify_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local path_build="${1}" local path_expect="${2}" local test_name="${3}" -- 1.8.3.1