Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sounds neat. However, the fact that `ls -l` either subtracts two numbers or calls a shell command, depending on whether there exist valriables 'ls' and 'l' in the Pythom environment, looks like a security nightmare waiting to happen. What if I create a python object 'ls' deep inside a script that does Evil when subtracted from?


Python variables are scoped as normal, so the security story for xonsh is the same as for Python. We are always open to suggestions and PRs to harden the code base as needed.


It could be worse. It could be a Wolfram shell, in which case 'ls -l' would return 'l(s - 1)'.


What's stopping a Bash script from doing something similar? You could alias ls to a malicious actor for example.


Well, aliases are ignored in scripts usually, but you could prepend something to the PATH so your script/exe gets found before built-ins, no? I agree, I don't see that this is a problem unique to Xonsh.


I mean, that's the underlying concept behind the fork bomb isn't it? With ":() { :|:&}" you're essentially redefining the bash noop to be a function that pipes/forks itself into itself recursively.

It's the reason './' is not in the default path as well (so you can't place an 'ls' in your home directory and have the admin run your command instead of the real ls).


Why not just do the evil directly in the script if you can do that?


Obfuscation minimizes time to discovery? Indirection is a possible technique for obfuscation?


This is a super silly concern.


You




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: