TIL: Some surprising code execution sources in bash

Unfortunately, there&#x27;s a lot of gotchas in Bash like this. A lot of them are documented here: <a href="https:&#x2F;&#x2F;mywiki.wooledge.org&#x2F;BashPitfalls" rel="nofollow">https:&#x2F;&#x2F;mywiki.wooledge.org&#x2F;BashPitfalls</a>, including the `test -v` case, which is #61. Some more code execution pitfalls are documented here: <a href="https:&#x2F;&#x2F;mywiki.wooledge.org&#x2F;BashProgramming&#x2F;05?action=show&amp;redirect=CodeInjection" rel="nofollow">https:&#x2F;&#x2F;mywiki.wooledge.org&#x2F;BashProgramming&#x2F;05?action=show&amp;r...</a> including the `-eq` part (under Arithmetic Expansion).<p>Basically, the -v case was by design, so for `-v &#x27;hash[$key]&#x27;`, &quot;$key is expanded before the array subscript evaluation, and then the whole array plus expanded index is evaluated in a second pass&quot;. &quot;Newer versions of bash (5.0 and higher) have a assoc_expand_once option which will suppress the multiple evaluations&quot;<p>Note that the `-v` case doesn&#x27;t really work the way one may infer from reading the OP:<p>&gt; $ key=&#x27;$(cat &#x2F;etc&#x2F;passwd &gt; &#x2F;tmp&#x2F;pwned)&#x27;<p>&gt; $ [[ -v &#x27;x[$key]&#x27; ]]<p>&gt; bash: $(cat &#x2F;etc&#x2F;passwd &gt; &#x2F;tmp&#x2F;pwned): syntax error: operand expected (error token is &quot;$(cat &#x2F;etc&#x2F;passwd &gt; &#x2F;tmp&#x2F;pwned)&quot;) *<p>&gt; [[ -v &quot;${x[$key]}&quot; ]]<p>&gt; bash: $(cat &#x2F;etc&#x2F;passwd &gt; &#x2F;tmp&#x2F;pwned): syntax error: operand expected (error token is &quot;$(cat &#x2F;etc&#x2F;passwd &gt; &#x2F;tmp&#x2F;pwned)&quot;)

Yuck, I was always instinctively put off by [[, now I finally have some arguments to justify it.<p>IMO safe shell scripting is kind of dead. I can do it if I really have to, but too many external programs have tricky &quot;convenience&quot; features like interpreting flags after positional parameters, etc.

So many footguns in bash. When do we finally get serious about ditching this language as an industry in the same way we are about memory safety?

What&#x27;s the fix for those code samples?<p>Shellcheck currently gives Sample 1 a pass. I hope this is something it can be modified to catch.

I... don&#x27;t understand. I thought the whole reason for using [[ and breaking posix compatibility was to prevent just this kind of vulnerability. Why would bash do this.

From what I understand, based on the premise that this results from switching into &#x27;arithmetic&#x27; mode, you don&#x27;t even need test. The following will also work with the proposed attack:<p><pre><code> function guess () { declare -i num=&quot;${1}&quot; ; } </code></pre> (unless I&#x27;m missing something?)

Honestly I just don&#x27;t write shell scripts anymore, bash or otherwise. By the time any system I use is up, Python is available. I don&#x27;t know if I&#x27;ve found a true need for shell in anything application level. I&#x27;ll even fire up a Python shell for something simple like mass renaming files, simply because the string manipulation is so much easier.

I have a related question: is integer&#x2F;&quot;((math))&quot; logic really safer (in bash) than &quot;[normal]&quot;? I usually try hard to use declare -i iMyVar; as many applicable variables as possible. But evaluation of strings is still usually a hellhole... I mean hole hell.

Question: why does the evaluation inside a[] (which does not produce a value) not result in a bad array subscript error in this case?<p>if you try to evaluate this kind of things as an arithmetic expression directly, it will fail with an error of a bad subscript (mind you, the attack will still work though).

My first insinct would be to remove the bashisms first:<p><a href="https:&#x2F;&#x2F;gist.github.com&#x2F;alganet&#x2F;a4198158651f3b2dc43ce658052e2aa0" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;alganet&#x2F;a4198158651f3b2dc43ce658052e...</a><p>Then, if we run it:<p>&quot;line 3: test: a[$(cat &#x2F;etc&#x2F;passwd &gt; &#x2F;tmp&#x2F;pwned)] + 42: integer expression expected&quot;