Best pracices: using ShellCheck to sanitize scripts

Hi team:
As we know, Bash scripts are a big security matter for system reaches. For instance, [Shellshock vulnerabilities]=> (https[://]en.wikipedia[.]org/wiki/Shellshock_(software_bug)) or [bash commands injection] => https[.//]www.owasp[.]org/index.php/Command_Injection) can deeply harm yunohost instance, furthermore if executed as super-administrator (as YNH scripts does).

I suggest in the framework of deploying new apps and classify the sanity of them with the great ideas of app levels, to get in parallel of [package-linter]=>(https[://]github[.]com/YunoHost/package_linter) to use bash best practices with ShellCheck.

I issued a PR to sanitize example scripts of [example_ynh]=>(https[://]github[.]com/YunoHost/example_ynh) that can be found here:

Best would be to parse ShellCheck output in Travis CI?

(sorry for Markdown mess, I’m limited by the # of links I can put…!!)

Hmmmm I think last time this was discussed, one conclusion was that basically the security issue is ~irrelevant because anyway the script is ran as root and you ultimately trust both :

  • the author of the script (otherwise you are already screwed anyway because it’s ran as root, the author doesn’t need subtle injections to backdoor your system)
  • and the person running the script (it’s the admin of the server so he/she’s not going to backdoor his/her own server…).

So I dunno which kind of attacker shellcheck would protect against.

Thouh otherwise, personally I think it would be good to have a code/style linter (equivalent to PEP8 but for bash) to have a standard style for writing bash, though maybe that’s not really the priority I dunno :confused:

Hi @Aleks,

This is just a suggestion to help app maintainers to linter the code :slight_smile:
You are right about risk management on those scripts indeed, it’s irrelevant.

Heisen-bugs might however appear: what if a YunoHost admin want to name his admin “John Doe” (spaces may break bash code somewhere if not sanitized).

Long story short, feel free to PM me if bash lintering with this gains interest in the future!


1 Like