Tl;dr:
std::process::Command
is vulnerable to shell injection if you invokecmd.exe
or*.{cmd,bat}
on Windows.Were there actually any real-world use-cases affected by this? Do any of them not deserve to be named and shamed irregardless of this vulnerability?
If it was up to me, I would nuke the cmd custom implementation, leave some helpful compile error messages behind, and direct users to some 3rd party crates to choose from.
Doing such a regression on a Tier 1 target would be a really big blow to the language’s reputation imo
What custom implementation? The escaping logic?
Edit: to be clear, there is no “custom implementation” of
cmd
itself, nor is the problem exclusive to Rust. This is a problem with the Windowscmd
itself.
This sounds like a pretty big deal for crates with custom build.rs files.
How so? This exploit requires running a shell command in a way that permits an attacker to control the arguments provided. That doesn’t seem like it would be particularly common in build scripts.
I’m thinking an xz-style attack where a malicious actor submits an “improvement” with an innocuous-looking change to the build script that ends up running arbitrary commands. Running a batch script seems like a reasonable thing for a build script to do (e.g. to run something like i18n or whatever), and a lot of project devs may not know much about how batch scripts work (many devs are more familiar with Linux-compatible shell scripts), so it could slip through. The batch script itself could be innocuous and thus not be caught by a reviewer.
That’s not going to be particularly feasible when generating bindings and other complex build processes. For example, the Qt bindings run shell commands as part of the build.rs. As does gettext-rs.
So I don’t think it’s unreasonable to think a developer could sneak in an exploit with “temporary code” to improve some part of the build process on Windows.
I’d instantly reject such an approach. Find a better way to do things.