Comments (5)
jvehent
commented on July 21, 2024
I think shell=True may be fine given that it's only invoked in editing mode, in a shell created by the user. If someone can inject malicious parameters in that user's environment, there are worse things to do than messing with $EDITOR.
from sops.
claudijd
commented on July 21, 2024
Decent read here in stackoverflow that helped me catch up on the issue:
http://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess
@jbuck I would modify $EDITOR first to use a fully-qualified path first and and make sure you're running the latest version of bbedit.
@jvehent if @jbuck continues to have issues after those two are complete, you can probably modify the sops bin to extract and expand the path for the $EDITOR value and hopefuly avoid this bug. If it's some weird internal thing in bbedit, maybe it can be reported upstream to see if they'd be willing to make a change. I'd try all those options before shell=True, since it's likely people will wrap some automation code around this tool and do poor input validation that gives rise to command injections vulns.
Another option you could try is make it configurable in sops with a warning about the implications and leave the default as shell=False.
from sops.
jbuck
commented on July 21, 2024
I tried with vim instead of bbedit to rule out something strange that it's doing:
(assume-aws-role prod)$ EDITOR='vim' sops common.yaml
INFO: assuming AWS role 'arn:aws:sts::361527076523:assumed-role/hiera-sops-prod/sops@jbuckley-23775'
INFO: temp file created at /var/folders/q2/vhg0j08n3fz3zsvph1rsw5080000gn/T/tmpRDS4a1.yaml
PANIC: common.yaml has not been modified, exit without writing
(assume-aws-role prod)$ EDITOR='vim -C' sops common.yaml
INFO: assuming AWS role 'arn:aws:sts::361527076523:assumed-role/hiera-sops-prod/sops@jbuckley-23775'
INFO: temp file created at /var/folders/q2/vhg0j08n3fz3zsvph1rsw5080000gn/T/tmp_tnTJ0.yaml
OSError: [Errno 2] No such file or directory
(assume-aws-role prod)$ EDITOR='vim ' sops common.yaml
INFO: assuming AWS role 'arn:aws:sts::361527076523:assumed-role/hiera-sops-prod/sops@jbuckley-23775'
INFO: temp file created at /var/folders/q2/vhg0j08n3fz3zsvph1rsw5080000gn/T/tmpdQLbuN.yaml
OSError: [Errno 2] No such file or directory
I had a look at the manpage for BBEdit and they explictly call out that some tools may not work correctly:
--resume (no short variant) Used in combination with -w or --wait, this switch
will cause the application which was frontmost when the bbedit tool was invoked
to be made frontmost again once you close the file(s) specified on the command
line.
This is convenient if you are using the Terminal (or any third-party
equivalent) to invoke a command which uses BBEdit as its editor (p4, cvs), and
want to return back to the Terminal when the editing session is over.
bbedit --wait --resume ~/foo.txt
-w, --wait Wait until the file is closed in BBEdit. Normally, the bbedit tool
exits immediately after the file arguments are opened in BBEdit. This option
applies to both local files and files opened from FTP or SFTP servers.
The -w option allows the bbedit tool to be used as an external editor for Unix
tools that use the EDITOR global environment variable. To make this work using
tcsh, add the following line to your .cshrc (or .tcshrc) file:
setenv EDITOR "bbedit -w"
Some tools (notably crontab), will not work correctly if your EDITOR variable
consists of multiple terms. You can work around this by creating a simple
shell script that calls bbedit -w, then using the shell script as your EDITOR.
For example:
#!/bin/sh
bbedit -w "$@"
from sops.
gdestuynder
commented on July 21, 2024
without shell=True the env variables ($EDITOR) aren't automagically expanded and the path aren't automatogically expanded either ($PATH) - both are things that a shell will do for you.
Alternative is doing it by hand (os.path.expandvar and going through manually.. pain but might be what you want there - though parameters like bbedit -blah will still not work unless you also check for arguments in $EDITOR), or using shell=True (which starts a shell really - sure its a little more dangerous and not very portable, though in some cases its totally ok, when you expect to use shell stuff, you gotta use a shell for example).
IIRC that's about it..
from sops.
jvehent
commented on July 21, 2024
Thank you gents. Let's see how far my patch takes us, and if people need more we can revisit.
from sops.
Related Issues (20)
- sops encryption/decryption with age key doesn't work for Python ini Files with [DEFAULT] section HOT 4
- New patch version please HOT 22
- Main project page getsops/sops never loads because of README rendering issue HOT 3
- hc-vault: Support for kubernetes auth HOT 1
- Support encryption with x.509 cert in win certmgr
- Allow to encrypt specific nodes in a file with specific keys (muliple matching creation_rules) HOT 3
- Different AWS profiles are ignored when using multiple KMS keys
- exec-env/exec-file: support "--" to separate command to run HOT 4
- Can't use docker compose and sops together HOT 3
- `sops execfile` filename should not have a random suffix appended in --no-fifo mode HOT 2
- diff shows entire file has changed HOT 1
- [question] Where is the documentation? HOT 2
- ForbiddenByRbac when using azure key vault backend with version 3.8+
- "$" in code examples in Readme prevents simple copy/paste HOT 1
- When we encrypt our values it updates all variables HOT 2
- Decrypt doesn't handle multiple files / bulk operations
- panic: runtime error: invalid memory address or nil pointer dereference when using updatekeys HOT 11
- SOPS mac_only_encrypted HOT 3
- Does sops edit exist? HOT 2
- Update Documentation for usage with ansible inventory. Parameter: _valid_extensions HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sops.