obsidian-execute-code icon indicating copy to clipboard operation
obsidian-execute-code copied to clipboard

Published 20 hours ago verified publisher icon twibiral

Security concern with spawning in shell

Open milan338 opened this issue 2 years ago • 2 comments

The current implementation of spawning in shell seems like a security hole. Issues with programs not found should be fixable by providing an absolute path to the binary in the settings. This might be an inconvenience to some users, but it should add some protection against malicious code. If nothing else, I think it would also be good to sanitise the commands being passed to spawn with something like shell-quote. It might be good to have a toggle for running shell / powershell that's disabled by default to further protect users.

milan338 avatar Sep 25 '22 06:09 milan338

I agree that it may be a security issue. But on the other hand, it is on the user to decide which code they execute and some want to execute in the shell to have access to their .*rc. I think sanitizing + making shell execution optional as you said is a good way to do it.

twibiral avatar Sep 25 '22 12:09 twibiral

To fix #81 and #77 I needed to change runCode to runCodeInShell for every language. See release 0.18.0.

This was just a quick fix and maybe we find a better way to solve this.

twibiral avatar Oct 02 '22 14:10 twibiral