[PATCH] alias: aliascmd: refuse uninvokable aliases

From: наб <nabijaczleweli@nabijaczleweli.xyz>
To: dash@vger.kernel.org
Subject: [PATCH] alias: aliascmd: refuse uninvokable aliases
Date: Sat, 17 Dec 2022 20:07:05 +0100	[thread overview]
Message-ID: <20221217190705.atfwacsgggtafzl2@tarta.nabijaczleweli.xyz> (raw)

[-- Attachment #1: Type: text/plain, Size: 2987 bytes --]

See standards quote within, but the fun bit is:
  alias "a'b=c" "ls&id=cd"; alias
outputs
  ls&id='cd'
  a'b='c'
neither of which is What You Want, and also you can't invoke them
because you need to escape the quote/&/whatever, which disables
alias processing. Forbid the minimum broken set.

For reference's sake, here's a test driver:
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <sys/wait.h>
  #include <unistd.h>
  int main(int _, char ** argv) {
  	putenv("LC_ALL=C");
  	char val[] = "alias 'aQb=echo a' && alias";
  	unsigned char * vp = strchr(val, 'Q');
  	for(unsigned i = 0; i <= 0xFF; ++i) {
  		*vp = i;
  		if(!vfork()) {
  			execl(argv[1], "sh", "-c", val, (char *)NULL);
  			_exit(-1);
  		}
  		int r;
  		wait(&r);
  		fprintf(stderr, "%02x: %d\n", i, WEXITSTATUS(r));
  	}
  }

zsh  refuses nothing
dash refuses 09 0a 20 22 24 26 27 28 29 3b 3c 3e 5c 60 7c
bash refuses dash + 2f
mksh refuses bash + 23 + 2a + 3f + 5e + <20 + >7c
ksh  refuses bash + 2a + 3f + 5b + 7b + 7d

Fixes: https://bugs.debian.org/758542
---
 src/alias.c | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/alias.c b/src/alias.c
index daeacbb..81de975 100644
--- a/src/alias.c
+++ b/src/alias.c
@@ -32,6 +32,7 @@
  * SUCH DAMAGE.
  */
 
+#include <stdbool.h>
 #include <stdlib.h>
 #include "shell.h"
 #include "input.h"
@@ -46,10 +47,38 @@
 
 struct alias *atab[ATABSIZE];
 
+STATIC bool validalias(const char *);
 STATIC void setalias(const char *, const char *);
 STATIC struct alias *freealias(struct alias *);
 STATIC struct alias **__lookupalias(const char *);
 
+/*
+ * POSIX Issue 7, XCU, 2.3.1 Alias Substitution:
+ *   the command name word of a simple command shall be examined
+ *   to determine whether it is an unquoted, valid alias name
+ * POSIX Issue 7, XCU, 2.2 Quoting:
+ *   The various quoting mechanisms are the escape character,
+ *   single-quotes, and double-quotes.
+ *
+ * Trivially, it's impossible to invoke an alias with whitespace inside
+ * (which has to be quoted, and therefore won't be an alias),
+ * with a backslash, or with quotes (likewise).
+ * The same applies to $, &, ), (, ;, >, <, `, and |.
+ *
+ * Additionally, rejecting quotes and other garbage means that we prevent
+ *   alias "a'b=c" "ls&id=cd"
+ * being output as
+ *   a'b='c'
+ *   ls&id='cd'
+ * which explodes and/or executes code when it's evaled back.
+ */
+STATIC
+bool
+validalias(const char *name)
+{
+	return !strpbrk(name, "\t\n \\\"'$&)(;><`|");
+}
+
 STATIC
 void
 setalias(const char *name, const char *val)
@@ -151,7 +180,11 @@ aliascmd(int argc, char **argv)
 				printalias(ap);
 		} else {
 			*v++ = '\0';
-			setalias(n, v);
+			if (!validalias(n)) {
+				outfmt(out2, "%s: %s: invalid name\n", "alias", n);
+				ret = 1;
+			} else
+				setalias(n, v);
 		}
 	}
 
-- 
2.30.2

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
