Are the following commands equivalent?

Question

$somevariable may contain whitespaces and other special characters to bash, and introduce security risk. Are the following commands equivalent? If not, can you rank them?

bash -c 'somecommand "$1"' bash "$somevariable"
bash -c "somecommand '$somevariable'"
bash -c "somecommand \"$somevariable\""

Are the following commands equivalent? If not, can you rank them?

find -exec sh -c 'something "$@"' sh {} \;
find -exec sh -c "something '{}'" \;
find -exec sh -c "something \"{}\"" \;
find -exec sh -c 'something "{}"' \;

I can't find nonequivalence between the commands in each group.

Originated from Ways to provide arguments to a command executed by `bash -c`. Here I would like to figure out whether the reason why findutils manual suggests

find -exec sh -c 'something "$@"' sh {} \;

instead of

find -exec sh -c "something {}" \;

is because of

quoting or
moving {} outside of the command to be executed by sh -c

Will the other commands I wrote in the second group above also work equivalently well?

Thanks.

To attack find -exec sh -c "something '{}'" \; the second command in the find group:

$ touch "'; echo world '"
$ find . -exec sh -c "ls '{}'" \;
''\''; echo world '\'''
''\''; echo world '\'''
world

Didn't Stephen already answer essentially this question in https://unix.stackexchange.com/a/448449/170373 ? — ilkkachu, Jun 10 '18 at 08:22

score 6 · Accepted Answer · edited Jun 11 '20 at 14:16

6

The `bash -c` commands are not the same in at least the following examples:

$ var='a
$(uname)'

$ bash -c 'echo "$1"' bash "$var"
a
$(uname)

$ bash -c "echo '$var'"
a
$(uname)

$ bash -c "echo \"$var\""
a
Darwin

The `find` commands also differ:

$ touch 'a
> $(uname)'

$ find . -exec sh -c 'echo "$@"' sh {} \;
.
./a
$(uname)

$ find . -exec sh -c "echo '{}'" \;
.
./a
$(uname)

$ find . -exec sh -c "echo \"{}\"" \;
.
./a
Darwin

$ find . -exec sh -c 'echo "{}"' \;
.
./a
Darwin

So it seems that the following allow arbitrary code execution:

bash -c "echo \"$var\""
find . -exec sh -c "echo \"{}\"" \;
find . -exec sh -c 'echo "{}"' \;

edited Jun 11 '20 at 14:16

Community

1

answered Jun 08 '18 at 22:18

jesse_b

37,005

Thanks. I made some change. Are all commands in each group equivalent now? – Tim Jun 08 '18 at 22:24
@Tim: I've updated – jesse_b Jun 08 '18 at 22:45
Thanks. Can you change the commands to make them equivalent? – Tim Jun 08 '18 at 22:51
@Tim: I think the alternatives you provided are "equivalent" and the best bet is to simply discard the ones that allow code execution. – jesse_b Jun 08 '18 at 22:57
2

Only the first method is safe: test with a variable containing unbalanced quotes: var=$'a\n\'foo"$(uname)' -- this question is similar to SQL injection: constructing code dynamically is fraught; use parameterization. – glenn jackman Jun 08 '18 at 23:41
@glennjackman Thanks. How about the group of find commands? – Tim Jun 08 '18 at 23:46
You can test yourself with a similarly named file. I would anticipate similar results. – glenn jackman Jun 08 '18 at 23:46

Are the following commands equivalent?

1 Answers1

The bash -c commands are not the same in at least the following examples:

The find commands also differ:

The `bash -c` commands are not the same in at least the following examples:

The `find` commands also differ: