Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)

[David Bremner]

Daniel Barlow <dan at telent.net> writes:

> There are a number of ways this is currently insecure but the particular
> one I want to ask about today is running the notmuch cli commands with
> user-supplied arguments and whether there are any particular gotchas in
> doing so?  I am reasonably sure that my code to invoke notmuch(1) is
> calling execve(2) without invoking /bin/sh or the equivalent [*], but
> are there ways, for example, that passing a weirdly formed thread-id to
> ["notmuch", "show", thread-id] could cause it to invoke a subshell or
> delete the database or something else unexpected?  I did look briefly at
> using libnotmuch directly, but the JSON output format is oh *so*
> convenient and I'd be entirely happy not to have to reinvent it.

I'm leery of making any kind of guarantees, because the notmuch CLI has
never been audited from a security minded point of view. It is C, so I
expect there are the usual kinds of bounds checking failures and buffer
overruns.

On the other hand, I'm reasonably sure nothing in the notmuch
query parser calls the shell. We do use the Xapian query parser pretty
much as a black box, so we'd inherit any (hypothetical)
vulnerabilities. On the other hand, Olly (in copy) has actually designed
the parser to be used in web facing software from the beginning, so
that's probably not a big issue.

d