Security risk (?): Backticks in descriptions are attempted to eval!

[Enrico2]

We had a description defined like this with backticks:

description = "Runs dbmigrator --migrate on database started by `run-db-local` (eg via `:db:local:run`)."

Then in bash, I did

gradle :db:migrations[tab]

and saw:

$ gradle :db:migrations:-bash: run-db-local: command not found
-bash: :db:local:run: command not found
-bash: run-db-local: command not found
-bash: :db:local:run: command not found

Seems like this could be some attack vector, where a description could contain some malicious bash command.

[mikesamuel]

Could the problem be here?

https://github.com/gradle/gradle-completion/blob/5c863bf6e6702bb763051d2bc74220bf9e922f4c/gradle-completion.bash#L204-L208

IIUC that filters text like

assemble  - Assembles the outputs of this project.
bar:assemble  - Assembles the outputs of this project.
:bar:assemble  - Assembles the outputs of this project.
foo:assemble  - Assembles the outputs of this project.
:foo:assemble  - Assembles the outputs of this project

by prefix. Since it does

$( grep ... )

instead of

"$( grep ... )"

expansion may evaluate shell meta-characters.

[mikesamuel]

My bash is kind of weak right now though.

[apflieger]

Ahhh I see these things in my prompt for month now and I finally figured out this. The gradle plugin for building IntelliJ plugin have multiple tasks that includes backticks so I get this

./gradlew -bash: robot-server: command not found
-bash: robot-server: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found

It comes from the following tasks descriptions

downloadRobotServerPlugin - Download robot-server plugin.

and

patchPluginXml - Patches plugin.xml files with values provided to the task.