Hi! Max Nikulin <maniku...@gmail.com> writes:
> On 14/11/2021 22:28, Daniel Kraus wrote: >> +(defun ob-clojure-escape-quotes (str-val) >> + "Escape quotes for STR-VAL." >> + (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL)) >> + >> +(defun ob-clojure-eval-with-babashka (bb expanded) >> + "Evaluate EXPANDED code block using BB (babashka or nbb)." >> + (let ((escaped (ob-clojure-escape-quotes expanded))) >> + (shell-command-to-string >> + (concat bb " -e \"" escaped "\"")))) > > Does not it an open door for security vulnerabilities? Consider a string > somewhere in the code: "`echo arbitrary code execution`". Only outer quotes > are > escaped. The escaping is not done for security reasons. When I have a babel block like #+BEGIN_SRC clojure (str "foo" "bar") #+END_SRC babashka has to be called with bb -e "(str \"foo\" \"bar\")" etc. Security wise someone should always be careful what he evaluates in an org-babel block. Nobody prevents you from evaluating #+BEGIN_SRC shell sudo rm -rf / #+END_SRC Cheers, Daniel
