System queries with Lua: l3sys-query

David Carlisle d.p.carlisle at gmail.com
Wed Mar 6 01:01:04 CET 2024 

On Tue, 5 Mar 2024 at 23:35, Karl Berry <karl at freefriends.org> wrote:

> Hi Joseph and David,
>
>     a script for doing (primarily) directory listings from Lua
>     https://github.com/latex3/l3sys-query
>
> I passed it on to tlsecurity at tug.org for completeness, though I think
> everyone there is also here.
>
>     The aim here is to be able to use it from restricted shell escape,
> which
>     means appropriate security review, etc. Hopefully we've been
>     conservative in that regard (currently it should simply refuse to
>     provide a listing at all outside pwd). Before thinking about a release,
>     I'd like to know what we need to do security-wise to have a chance to
>     get this into the default restricted list.
>
> Do I understand correctly that the key safety bit is:
>
>   -- Look for absolute paths or any trying to leave the confines of the
> current
>   -- directory: this is not supported.
>   if match(spec,"%.%.") or
>      match(spec,"^/") or
>      match(spec,"^\\") or
>      match(spec,"[a-zA-Z]:") then
>     return
>   end
>
> That looks ok to me. And when I tried running it, I got back the
> expected blank line for anything untoward.
>
> So I see no problems for security. I believe the --all option is
> ineffective? (Which seems good.)
>

--all enables .files in the current directory being read.

If the current directory has foo.tex and .foo then .foo is not listed
unless --all is used


$ ./l3sys-query.lua ls '*foo*'
./foo.tex

$ ./l3sys-query.lua ls --all '*foo*'
./.foo
./foo.tex

If openin_any = p is in force the calling tex system wouldn't be able to
read .foo but (currently at least)  it shows in the directory listing.
I think that's compatible with openin_any=p (which actually is in force
above) otherwise we would (I think) have to add a call to
kpsewhich -var-value 'openin_any'
to disable --all in that case.




>
> I have a number of non-security comments, but will write those up later
> today or tomorrow. Wanted to send this off now. --thanks, karl.
>

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20240306/adc24e63/attachment.htm>

More information about the tex-live mailing list.