在bash shell中,可以使用declare -p轻松引用数组,然后eval稍后将其恢复正常。将数组(作为脚本的一部分)通过SSH传递给远程计算机似乎是可以接受的。
问题是,反过来说,我不希望获得同样的信任度。如果远程计算机受到攻击,则感染可能会通过未经过清除的eval语句传播到本地计算机。
目前,要在机器之间传递数组,我使用这样的方法:
#!/bin/bash
# Define the modules we expect to find installed on the remote machine
expected_modules=(foo-module bar 'baz 2.0')
# SSH into the remote machine, send the arrays back and forth with "declare -p"
unparsed_missing_modules=$(ssh remote-machine /bin/bash << EOF
check_for_module() {
# Placeholder so that this can be tested locally
case \$1 in
foo*) true;;
*) false;;
esac
}
$(declare -p expected_modules)
missing_modules=()
for module in "\${expected_modules[@]}"; do
if ! check_for_module "\$module"; then
missing_modules+=( "\$module" )
fi
done
declare -p missing_modules
EOF
)
# Unpack the result (this is what I want to find an alternative to)
eval "$unparsed_missing_modules"
# Do something with the result after unpacking into an array
for module in "${missing_modules[@]}"; do
echo "Warning: Remote machine is missing $module" >&2
done
当ssh会话的输出直接传递给eval时,此脚本中的主要不安全性即将结束。如何在bash中清理此输入?
答案 0 :(得分:4)
通用,安全的答案是NUL分隔数组的条目,在stdout上传递文本NUL分隔的数据,并使用while read循环来解释它。
观察:
get_remote_array() {
local args
local hostname=$1; shift
printf -v args '%q ' "$@"
ssh "$hostname" "bash -s $args" <<'EOF'
# in real-world use, print something more useful than the arguments we were started with
# ...but for here, this demonstrates the point:
printf '%s\0' "$@"
EOF
}
array=( )
while IFS= read -r -d ''; do
array+=( "$REPLY" )
done < <(get_remote_array "localhost" \
$'I\ncontain\nnewlines' \
'I want to $(touch /tmp/security-fail)' \
"'"'I REALLY want to $(touch /tmp/security-fail), even in single quotes'"'")
echo "---- Shell-escaped content"
printf '%q\n' "${array[@]}"
echo "---- Unescaped content"
printf '<<%s>>\n' "${array[@]}"
此演示可以向两个方向传递潜在的恶意数据,并证明它在未受伤害的往返过程中幸存下来。