I sometimes need to execute a built-in shell command like type, or just run an arbitrary shell command string (as a single string rather than an array of command + arguments). While I prefer the API of Deno.run for the vast majority of cases, it doesn't let me do either of these.
Is there any clean way to do these in Deno? It doesn't need to be the same solution for both, but it could be. I'm currently using a solution like what's seen here, but it doesn't feel very elegant, and I'd love to find a better way. Another alternative I considered was writing the command to a temp file with .sh/.ps1 extension and then running that.
Related
I want to write a script in groovy to decrypt files using openPGP. I tried to find a library that I could use for this task but was unsuccessful. Is there a source I might have omitted during my search or I need to go some alternative way that you would recommend.
My idea with script is to be executed every time before the file processing needs to start. It seems as a relatively simple task, but I can't find this library.
So I have a 3rd party application which exposes a Python API. I have a python script that does what I need it to do with that 3rd party application.
The python script only uses command line arguments, no user input and writes to stdout.
I'm wiring this up to be launched at runtime from an ASP.NET website. Since python is so powerful, I'm wondering if it would make sense from a security standpoint to create a new executable that launches the python process with a hard coded or locally read (App.Config) script path and copy its command line arguments to the python process.
This new executable would be launched from the .NET application as a way to prevent attackers from uploading and launching arbitrary python code? Does this negate any attack vectors or is it just extra complexity?
Also, I can't use IronPython, as the 3rd party extensions are written for CPython only.
Idea of the code:
Process p = new Process();
p.StartInfo.FileName = "python.exe";
p.StartInfo.Arguments = "goodscript.py \"" + argument1.Replace("\"","\\\"") + "\" \"" +
argument2.Replace("\"","\\\"") + "\"";
p.Start();
I'm worried that either a command line switch like -i could be injected or that somehow the file path to goodscript.py could be changed to point to another script. I guess if the later is possible then really the file path to python.exe could be changed to another executable file path.
The sample code definitely has security concerns. I'm not sure how Process.StartInfo works there; if it splits up the arguments before executing the subprocess or if it uses some shell to do it for you, but either way, there's at least room for an attacker to put backslashes in the argument strings and trick your double-quote-escaping.
If you have some other method to convey arguments individually, instead of trying to pack them into a string and let something else parse them apart, that would be much preferable.
Your Python script is going to be invoked by the website. If someone can use the website to cause the Python script to be invoked with different arguments, or to execute a different script, or whatever, then that's the security hole. It has nothing to do with "Python being so powerful", this would be a security issue for calling out to any language
How exactly do you think this would be affected by wrapping the Python script with something else and invoking that instead? Either someone can cause a different executable to be invoked, or to be invoked with different arguments or on different data, in which case you're screwed no matter what language you're calling. Or they can't, in which case you're fine no matter what language you're calling.
As it currently stands, your script is not just an added complexity, but is actually opening up a security hole. Namely, that you're passing the arguments a single string that have to be parsed instead of as pre-tokenized list of strings.
Is it possible to create our own unix commands?
For example: we have ls -ltr,cd,mkdir etc which perform certain actions. I want to create a similar command which would save username-password into a table in database. I'm kinda new to unix. Any suggestions?
Yes, it is easy to create your own commands that do jobs that you find useful. You can implement them in a variety of languages, from shell to Perl to C and on and on.
The only significance to the standard commands are that they are installed (usually) in /bin or /usr/bin rather than anywhere else, and they do jobs that are defined by a standard (often POSIX). Often, people place locally created commands in /usr/local/bin; others will create themselves a directory $HOME/bin and put their personal commands there. You simply need to ensure that these directories are on your PATH.
In my $HOME/bin directory (depending on which machine I'm looking at), I have from 46 commands (on this machine) up to about 500 on my main work machines. The commands do different jobs; the names are mnemonic to me (and generally not to other people). Some commands are polished and ready for production use anywhere (and these have manual pages, almost by definition of being production-ready). Others are quick hacks assembled for a quick-and-dirty job. Some of the quick hacks are removed; some get polished; some get stashed away in case I need to do something similar in the future. Only the trivial don't go under version control.
On this machine (which I only use casually and not really for development work), I have 9 shell scripts, 4 Perl scripts, and the rest are executables (Git and Go, mainly). On my main machines, I have many more shell and Perl scripts and proportionately fewer C programs. I have few Python scripts since I learned Perl first and I'm not as fluent in Python. I've been writing and collecting these scripts for a long time; the oldest versions of the oldest programs date back to about 1987.
I know barely more than zero about R: until yesterday I didn't know how to spell it. But I'm suicidal: for my web site, I'm thinking about letting a visitor type in an R "program" ( is it even called a "program") and then, at submit time, blindly calling the R interpreter from my CGI. I'd then return the interpreter's output to the visitor.
Does this make sense? Or does it amount to useless noise?
If it's workable, what are the pitfalls in this approach? For example, what are the security issues, if any? Is it possible to make R crash, killing my CGI program? Do I have to clean up the R code before calling the interpreter? And the like.
you could take a look to Rserve which allows to execute R scripts via the TCP/IP interface available in PHP for example if I'm not mistaken.
Its just asking for trouble to let people run arbitrary R code on your server. You could try running it in a chroot jail, but these things can be broken out of. Even in a chroot, the R process could delete or alter files, or spawn a long-running process, or download a file to your server, and all manner of nastiness.
You might look at Rweb, which has exactly this behavior: http://www.math.montana.edu/Rweb/
Since you can read and write files in R, it would not be safe to let people run arbitrary R code at your server. I would look if R has something like PHP's safe mode... If not, and if you are root, you can try to run R under user nobody in a chroot (you must also place there packages and libraries - for readonly access, and some temporary directory for RW access).
Is there a way to pass commands (from a shell) to an already running R-runtime/R-GUI, without copy and past.
So far I only know how to call R via shell with the -f or -e options, but in both cases a new R-Runtime will process the R-Script or R-Command I passed to it.
I rather would like to have an open R-Runtime waiting for commands passed to it via whatever connection is possible.
What you ask for cannot be done. R is single threaded and has a single REPL aka Read-eval-print loop which is, say, attached to a single input as e.g. the console in the GUI, or stdin if you pipe into R. But never two.
Unless you use something else as e.g. the most excellent Rserve which (when hosted on an OS other than Windoze) can handle multiple concurrent requests over tcp/ip. You may however have to write your custom connection. Examples for Java, C++ and R exist in the Rserve documentation.
You can use Rterm (under C:\Program Files\R\R-2.10.1\bin in Windows and R version 2.10.1). Or you can start R from the shell typing "R" (if the shell does not recognize the command you need to modify your path).
You could try simply saving the workspace from one session and manually loading it into the other one (or any kind of variation on this theme, like saving only the objects you share between the 2 sessions with saveRDS or similar). That would require some extra load and save commands but you could automatise this further by adding some lines in your .RProfile file that is executed at the beginning of every R session. Here is some more detailed information about R on startup. But I guess it all highly depends on what are you doing inside the R sessions. hth