denisidoro/navi

Some concerns about security with variables

Open

#533 opened on Apr 21, 2021

View on GitHub
 (7 comments) (1 reaction) (0 assignees)Rust (15,874 stars) (530 forks)batch import
help wantednew feature

Description

Navi is really nice and the ability to use cheatsheet from other people is very nice and allows to learn new tricks. The use of variable with fzf is a real usability gain.

But those two features together raises some security concerns, as it may leads a navi user to run malicious or erroneous shell commands with unwanted side effects.

I'm afraid I've no solution apart disabling variables or setting up a mechanism which would allows only accepted and reviewed code to be executed.

Contributor guide

Tech stack
rustshell
Domain
clisecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
None
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the current variable implementation in navi, particularly how user provided cheatsheets are executed. Review the discussion in the comments for proposed solutions. Consider implementing a sandboxing mechanism or an allowlist for reviewed cheatsheets.