Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)
Daniel Barlow
dan at telent.net
Wed Sep 5 01:26:35 PDT 2018
I'm writing yet another notmuch web client: this one with a focus on
mobile, because it's great having email in emacs when I'm home or at my
desk but it turns out I actually do most of my email from my phone.
The structure is
* a very small web server that invokes notmuch with --format=json in
response to
* a "single page" clojurescript web app (re-frame/reagent/react)
* an ssh tunnel joining the two
There are a number of ways this is currently insecure but the particular
one I want to ask about today is running the notmuch cli commands with
user-supplied arguments and whether there are any particular gotchas in
doing so? I am reasonably sure that my code to invoke notmuch(1) is
calling execve(2) without invoking /bin/sh or the equivalent [*], but
are there ways, for example, that passing a weirdly formed thread-id to
["notmuch", "show", thread-id] could cause it to invoke a subshell or
delete the database or something else unexpected? I did look briefly at
using libnotmuch directly, but the JSON output format is oh *so*
convenient and I'd be entirely happy not to have to reinvent it.
[*] in Java, Runtime.exec(String[] cmdarray)
If you speak Clojure, what I'm currently doing is
https://github.com/telent/epsilon/blob/master/src/epsilon/server.clj#L27
and you can see screenshots of the WIP at
https://github.com/telent/epsilon/blob/master/README.md
Feedback welcome
-dan
More information about the notmuch
mailing list