Always check your inputs
Love Bobby Tables
Security researcher Marcus Brinkmann has turned up another vulnerability in the GnuPG cryptographic library, this time specific to the Simple Password Store. Brinkmann explained that CVE-2018-12356 offers both access to passwords and possible remote code execution. This bug is an incomplete regex in GnuPG's signature …
... parsing unstructured output from the stdout of a command-line tool is not what you could call a robust API.
If the tool had a mode to output JSON or XML, that might be better - as long as you parse it with a correspondingly robust library. But here we're talking about a shell script parsing the output of some other command, which is a recipe for security disaster.
In my experience, most shell scripts I come across are littered with errors waiting to explode. The most common is unquoted variable expansions:
rm $filename
instead of
rm -- "$filename"
The former doesn't work if $filename contains a space. But it could also do very nasty things if the filename is, say, "-rf --no-preserve-root /"
Wot, you mean to say there might be a bug in my script? Yep, a commandline tool in a traditional unix pipeline doesn't belong in a security-critical situation. In the case of gnupg I can't even rely on $? .
Though I'm not sure XML or JSON would really help much more than plain ol' CSV or ... um ... ASCII. What I could really use is a libgnupg, to include a high-level API matching gpg commandline options.
Agreed. Exit status would be reasonable for this sort of thing, but as you've found they don't bother to set it in important situations, nor even document the exit codes in the manpage.
Have a look at gpgme for the API, although it's probably not as high-level as you'd like.
I don't think you CAN rewrite it to cover all situations. Strict processes can be bombed with bad input, while loose ones can be exploited a la Confused Deputy. Neither one is desirable depending on the circumstances (which may not be the same even within the same process--and you may not even know which applies).