mirror of
https://github.com/nushell/nushell.git
synced 2024-12-30 19:09:15 +01:00
f3cf693ec7
# Description Makes `run-external` error if arguments to `cmd.exe` internal commands contain newlines or a percent sign. This is because the percent sign can expand environment variables, potentially? allowing command injection. Newlines I think will truncate the rest of the arguments and should probably be disallowed to be safe. # After Submitting - If the user calls `cmd.exe` directly, then this bypasses our handling/checking for internal `cmd` commands. Instead, we use the handling from the Rust std lib which, in this case, does not do special handling and is potentially unsafe. Then again, it could be the user's specific intention to run `cmd` with whatever trusted input. The problem is that since we use the std lib handling, it assumes the exe uses the C runtime escaping rules and will perform some unwanted escaping. E.g., it will add backslashes to the quotes in `cmd echo /c '""'`. - If `cmd` is called indirectly via a `.bat` or `.cmd` file, then we use the Rust std lib which has separate handling for bat files that should be safe, but will reject some inputs. - ~~I'm not sure how we handle `PATHEXT`, that can also cause a file without an extension to be run as a bat file. If so, I don't know where the handling, if any, is done for that.~~ It looks like we use the `which` crate to do the lookup using `PATHEXT`. Then, we pass the exe path from that to the Rust std lib `Command`, which should be safe (except for the first `cmd.exe` note). So, in the future we need to unify and/or fix these different implementations, including our own special handling for internal `cmd` commands that this PR tries to fix. |
||
|---|---|---|
| .. | ||
| nu_plugin_custom_values | ||
| nu_plugin_example | ||
| nu_plugin_formats | ||
| nu_plugin_gstat | ||
| nu_plugin_inc | ||
| nu_plugin_nu_example | ||
| nu_plugin_polars | ||
| nu_plugin_python | ||
| nu_plugin_query | ||
| nu_plugin_stress_internals | ||
| nu-cli | ||
| nu-cmd-base | ||
| nu-cmd-extra | ||
| nu-cmd-lang | ||
| nu-cmd-plugin | ||
| nu-color-config | ||
| nu-command | ||
| nu-engine | ||
| nu-explore | ||
| nu-glob | ||
| nu-json | ||
| nu-lsp | ||
| nu-parser | ||
| nu-path | ||
| nu-plugin | ||
| nu-plugin-core | ||
| nu-plugin-engine | ||
| nu-plugin-protocol | ||
| nu-plugin-test-support | ||
| nu-pretty-hex | ||
| nu-protocol | ||
| nu-std | ||
| nu-system | ||
| nu-table | ||
| nu-term-grid | ||
| nu-test-support | ||
| nu-utils | ||
| nuon | ||
| README.md | ||
Nushell core libraries and plugins
These sub-crates form both the foundation for Nu and a set of plugins which extend Nu with additional functionality.
Foundational libraries are split into two kinds of crates:
- Core crates - those crates that work together to build the Nushell language engine
- Support crates - a set of crates that support the engine with additional features like JSON support, ANSI support, and more.
Plugins are likewise also split into two types:
- Core plugins - plugins that provide part of the default experience of Nu, including access to the system properties, processes, and web-connectivity features.
- Extra plugins - these plugins run a wide range of different capabilities like working with different file types, charting, viewing binary data, and more.