1

I have a problem. I tried many options how to prevent my parameter from escaping with "&" character. Nothing works for unfortunately. Do You have any option how to prevent my string and allow only [a-z]?? I tried everything on stack overflow and still nothing.

That's the script example:

#!/bin/bash/
initials=$1

initials_buffer(){
    if [[ ${#initials} -ge 5 ]] ; then echo "Error: Bad initials. Too long!!!" ; exit 0
    elif [[ ${#initials} -le 3 ]] ; then echo "Error: Bad initials. Too short!!!" ; exit 0
    elif [[ $initials == *['!'@#\$%^\&*()_+]* ]] ; then echo "Hey!! No special chars" ; exit 0
    else 
        echo "properly string"
    fi
}

initials_buffer
exit 0

And that's results where i have too short, too long and i escaped from script to whoami command as a root.

    ┌──(rootkali)-[/]
└─# bash test.sh pr            
Error: Bad initials. Too short!!!
                                                                                                                                                                                                                                             
┌──(rootkali)-[/]
└─# bash test.sh praaaaaa      
Error: Bad initials. Too long!!!
                                                                                                                                                                                                                                             
┌──(rootkali)-[/]
└─# bash test.sh pr*n    
Hey!! No special chars
                                                                                                                                                                                                                                             
┌──(rootkali)-[/]
└─# bash test.sh pra& whoami   
[1] 7951
root
                                                                                                                                                                                                                                             
Error: Bad initials. Too short!!!
[1]  + done       bash test.sh pra

Every char prevention is working except "&", "(" and ")"..

Shawn
  • 47,241
  • 3
  • 26
  • 60
przem.exe
  • 11
  • 1
  • 3
    Quote the argument. `bash test.sh "pra& whoami"` – Shawn Jun 13 '22 at 11:31
  • `bash test.sh pra& whoami` runs `bash test.sh pra` in the background, and then runs `whoami` in the foreground. It does **not** pass `&` to `test.sh`, so there's nothing `test.sh` could possibly do to reject it. – Charles Duffy Jun 13 '22 at 11:59
  • 1
    Similarly, `bash test.sh pr*n` doesn't always pass `pr*n` as an argument to `test.sh` -- if you're in a directory that has files `prawn` and `priwn` in it, those filenames will be passed as arguments instead, _and nothing your script can do can change that_ because it happens before the script even starts. It's the responsibility of the user **calling** your script to write correct shell syntax for their calls, and in this case that means quoting: `bash test.sh 'pra&'` and `bash test.sh 'pr*wn'` – Charles Duffy Jun 13 '22 at 12:01
  • (I'm assuming from the `.exe` in your username that you come from Windows -- while on Windows command-line parsing from a string to an argument vector is done by the libc in the program that was invoked and can be overridden, on UNIX programs are invoked with an argument vector directly; they never get a chance to see the original string). – Charles Duffy Jun 13 '22 at 12:03
  • Thank You Charles! Thank You for answer that it is impossible. I need to do a script where i can't trust people. So i will need to write this script in other language. – przem.exe Jun 13 '22 at 14:06

1 Answers1

1

Rather than trying to match edge cases that are invalid, it seems easier to match the valid cases. If you want a string of 3 to 5 characters between a and z, just match it explicitly:

if ! [[ $initials =~ [a-z]{3,5} ]]; then
        echo "Error: Bad initials.  Must be 3 to 5 characters a-z" >&2
        exit 1
fi

Also, write your error messages to stderr, and exit with a reasonable value.

William Pursell
  • 204,365
  • 48
  • 270
  • 300
  • This is correct as far as it goes, but it doesn't help the user understand why `bash test.sh pra&` isn't passing `"pra&"` as `$1`. – Charles Duffy Jun 13 '22 at 12:04
  • I tried Williams Method but still is not working Result: ┌──(rootkali)-[/opt/P01162-ScanGrid] └─# bash test.sh ars& whoami [1] 9813 root Hey!! [1] + done bash test.sh ars – przem.exe Jun 13 '22 at 13:24
  • I just need to create unhackable script sudo wrappper with no option to get out from string by adding &. :( – przem.exe Jun 13 '22 at 13:28
  • @przem.exe `bash test.sh ars&` executes the script `test.sh` (a terrible name!) with the single argument `ars`. – William Pursell Jun 13 '22 at 13:47