Source: timeshift
Version: 20.03+ds-2
Severity: important
timeshift seems to make frequent use of this pattern:
string cmd = "realpath
'%s'".printf(escape_single_quote(filePath2));
Process.spawn_command_line_sync(cmd, out output);
This is both dangerous and inefficient. It's dangerous because if
escape_single_quote() is not implemented correctly, or is not called every
time an external command is used, then this tool will be susceptible to
shell-injection attacks. It's inefficient because every time a command is
run like this, it is run via a new instance of the sh(1) shell.
Where a function can be implemented by calling platform APIs, please do
that. For example, canonicalize_file_name() in glibc does the equivalent of
calling realpath(1) without needing any external processes at all.
Where an external command is absolutely necessary (for example to call
out to rsync), please use APIs based on an array of command-line arguments,
for example GLib.SubprocessLauncher.spawnv() or GLib.Process.spawn_sync().
Thanks,
smcv
