jaredj/glotawk - Change 7SNXCC5KSDXU3MBJT2FBEPAISWPY62DHPC2RLEYXC2WVTWX5TKKQC

avoid command injection in system function; add apply; fix newlines in dumped strings

Created by jaredj on August 17, 2025

7SNXCC5KSDXU3MBJT2FBEPAISWPY62DHPC2RLEYXC2WVTWX5TKKQC

Dependencies

In channels

main

Change contents

Replacement in sane_lisp at line 168 [4.900]

B:BD[2.302] → [2.302:304]

[2.302]

[4.3557]

lisp_eval_should_be '(shellquote "foo")' '"'\''foo'\''"' 'shellquote, trivial'
lisp_eval_should_be '(shellquote "foo'\''s")' '"'\''foo'\'\\\'\''s'\''"' 'shellquote, single single quote'
lisp_eval_should_be '(shellquote "c d")' '"'\''c d'\''"' 'shellquote, space'
lisp_eval_should_be '(shellquote "$foo")' '"'\''$foo'\''"' 'shellquote, dollarsign'
lisp_eval_should_be '(shellquote "a\\nb")' '"'\''a\nb'\''"' 'shellquote, newline'
lisp_eval_should_be '(unsafe-system "echo hi; echo ho")' 'hi
ho' 'unsafe-system vulnerable to command injection'
lisp_eval_should_be '(system "echo" "hi;" "echo" "ho")' 'hi; echo ho' 'system properly escapes arguments'
lisp_eval_should_be '(let ((a '\''(1 2 3))) (apply + 6 a))' '12' 'apply'

Replacement in osf.awk at line 6 [5.954]

B:BD[5.1042] → [5.1042:1134]

    if(car == _symbol("system"))
        return _system(_eval3(_cadr(form), env, env, d+1))

[5.1042]

[5.1134]

    if(car == _symbol("shellquote"))
        return _shellquote(_eval3(_cadr(form), env, env, d+1))
    if(car == _symbol("unsafe-system"))
        return _unsafe_system(_eval3(_cadr(form), env, env, d+1))

Replacement in osf.awk at line 103 [5.954]
B:BD[5.3575] → [3.0:22]
```
function _system(s) {
```
[5.3575]
[3.22]
```
function _shellquote(s,   subber) {
```

Replacement in osf.awk at line 105 [5.954]

B:BD[3.48] → [3.48:83]

        return _system(_STRING[s])

[3.48]

[3.83]

        subber = _STRING[s]
        # This lisp is aimed at system administration, where it might
        # run as root, and unquoted control characters output to a
        # terminal may have ill effects. Rather nerf the control
        # characters than pass them through. But we'll let \011, HT;
        # \012, LF; and \015, CR, through.
        gsub(/[\001-\010\013-\014\016-\037]/, "[GlotawkNerfedCtrl]", subber)
        gsub(/'/, "'\\''", subber)
        sub(/^/, "'", subber)
        sub(/$/, "'", subber)
        return _string(subber)

Replacement in osf.awk at line 117 [5.954]

B:BD[3.96] → [3.96:156]

        logg_err("_system", "non-string operand " _repr(s))

[3.96]

[3.156]

        logg_err("_shellquote", "non-string operand " _repr(s))
        return _nil()
    }
}
# This is unsafe because you pass in a single string, which is passed
# straight to the shell. If the string contains any user-controlled
# input, calling unsafe-system with it introduces a command injection
# vulnerability, CWE-78.
function _unsafe_system(s) {
    if(_TYPE[s] == "s") {
        return system(_STRING[s])
    } else {
        logg_err("_unsafe_system", "non-string operand " _repr(s))

Insertion in osf.awk at line 391 [5.954]

[6.3837]

            logg_dbg("_printf", "printfing " fmt)

Insertion in lib-eval.awk at line 42 [7.21710]
[7.23226]
[8.887]
```
(setq apply (lambda xs (apply xs)))            \
```

Replacement in lib-eval.awk at line 124 [7.21710]

B:BD[9.472] → [9.472:512]

(setq system (lambda (x) (system x))) \

[9.472]

[9.512]

(setq unsafe-system (lambda (x) (system x))) \
(setq shellquote (lambda (x) (shellquote x))) \
(setq intercalate (lambda (it them) \
                          (cond ((null them)) \
                                ((null (cdr them)) them) \
                                (true (cons (car them) \
                                            (cons it \
                                                  (intercalate it (cdr them)))))))) \
(setq string-join (lambda args (apply strcat (intercalate (car args) (cdr args))))) \
(setq system (lambda argv (unsafe-system (apply string-join \" \" (mapcar shellquote argv)))))\

Insertion in lib-eval.awk at line 163 [7.21710]

[10.818]

[7.23695]

    _GLOBALS = _cons(_cons(_symbol("a-newline"), _cons(_string("\n"), _nil())),
                     _GLOBALS)

Insertion in first-symbols.awk at line 40 [5.17737]
[5.18564]
[5.18564]
```
    _symbol("apply")
```
Replacement in first-symbols.awk at line 67 [5.17737]
B:BD[5.19088] → [5.19088:19110]
```
    _symbol("system")
```
[5.19088]
[5.19110]
```
    _symbol("shellquote")
    _symbol("unsafe-system")
```

Insertion in first-symbols.awk at line 101 [5.17737]

[11.2648]

    _symbol("intercalate")
    _symbol("string-join")
    _symbol("system")

Insertion in eval.awk at line 225 [4.11057]

[12.1097]

[5.19557]

function _apply(args, env, depth,      last, butlast) {
#    logg_dbg("apply", _repr(args), depth)
    if(_is_null(args)) # (apply)
        return _nil()
    else if(_is_null(_cdr(args))) # (apply just-a-function-no-args)
        return _eval3(args, env, env, depth)
    else {
        butlast = _nil()
        for(last=args; !_is_null(_cdr(last)); last=_cdr(last)) {
            butlast = _cons(_car(last), butlast)
        }
        # now, butlast is a reversed copy of everything but the last.
        # last is the (unevaluated) last cdr in args. is last a list?
#        logg_dbg("apply", "butlast is " butlast " with " _repr(butlast), depth)
#        logg_dbg("apply", "last is    " last " with " _repr(last) ". evalling", depth)
        last = _eval3(_car(last), env, env, depth+1)
#        logg_dbg("apply", "last is now " last " with " _repr(last), depth)
        if(_TYPE[last] == "(") {
            args = _nconc(_nreverse(butlast), last)
#            logg_dbg("apply", "now we shall evaluate " _repr(args), depth)
            return _eval3(args, env, env, depth)
        } else {
            # last is an atom. why'd you use apply? oh well.
#            logg_dbg("apply", "last is not a list. oh well, evaluating " _repr(args), depth)
            return _eval3(args, env, env, depth)
        }
    }
}

Insertion in eval.awk at line 304 [4.11057]

[5.21875]

    else if(car == _symbol("apply"))
        return _apply(_cdr(form), env, d+1)

Insertion in dump.awk at line 7 [7.37838]
[13.2313]
[13.2313]
```
    gsub(/\n/, "\\n", string)
```
Replacement in dump.awk at line 21 [7.37838]
B:BD[7.38184] → [7.38184:38205]
```
        awkescape(v)
```
[7.38184]
[7.38205]
```
        v = awkescape(v)
```
Replacement in dump.awk at line 43 [7.37838]
B:BD[7.38520] → [7.38520:38545]
```
            awkescape(v)
```
[7.38520]
[7.38545]
```
            v = awkescape(v)
```
Replacement in dump.awk at line 49 [7.37838]
B:BD[7.38768] → [7.38768:38793]
```
            awkescape(v)
```
[7.38768]
[7.38793]
```
            v = awkescape(v)
```

avoid command injection in system function; add apply; fix newlines in dumped strings

Dependencies

In channels

Change contents

Replacement in sane_lisp at line 168 [4.900]

Replacement in osf.awk at line 6 [5.954]

Replacement in osf.awk at line 103 [5.954]

Replacement in osf.awk at line 105 [5.954]

Replacement in osf.awk at line 117 [5.954]

Insertion in osf.awk at line 391 [5.954]

Insertion in lib-eval.awk at line 42 [7.21710]

Replacement in lib-eval.awk at line 124 [7.21710]

Insertion in lib-eval.awk at line 163 [7.21710]

Insertion in first-symbols.awk at line 40 [5.17737]

Replacement in first-symbols.awk at line 67 [5.17737]

Insertion in first-symbols.awk at line 101 [5.17737]

Insertion in eval.awk at line 225 [4.11057]

Insertion in eval.awk at line 304 [4.11057]

Insertion in dump.awk at line 7 [7.37838]

Replacement in dump.awk at line 21 [7.37838]

Replacement in dump.awk at line 43 [7.37838]

Replacement in dump.awk at line 49 [7.37838]