Sanitize user input in bash for security purposes

The Short

Bash already deals with that. Quoting it is sufficient.

ls "$INPUT"

The Long

A rough guide to how the shell parses this line is:

"ls \"$INPUT\""                     # Raw command line.
["ls", "\"$INPUT\""]                # Break into words.
["ls", "\"filename; rm -rf /\""]    # Perform variable expansion.
["ls", "\"filename; rm -rf /\""]    # Perform word splitting (no change).
["ls", "filename; rm -rf /"]        # Remove quotes.

Because of the quotes the $INPUT variable does not undergo word splitting. The ls will look for a file named filename; rm -rf /.

If you didn’t quote it then the expansion would proceed differently:

"ls $INPUT"                             # Raw command line.
["ls", "$INPUT"]                        # Break into words.
["ls", "filename; rm -rf /"]            # Perform variable expansion.
["ls", "filename;", "rm", "-rf", "https://stackoverflow.com/"]   # Perform word splitting.

You can at least have consolation that this won’t actually execute rm -rf /. Rather, it’ll pass each of those strings as a file name to ls. You’ll ls some files you didn’t intend but at least it won’t accidentally execute unwanted commands.

jkugelman$ VAR='.; echo hi'
jkugelman$ ls $VAR
ls: .;: No such file or directory
ls: echo: No such file or directory
ls: hi: No such file or directory

Excerpts from “man bash”:

QUOTING

Quoting is used to remove the special meaning of certain characters or words to the shell. Quoting can be used to disable special treatment for special characters, to prevent reserved words from being recognized as such, and to prevent parameter expansion.

EXPANSION

Expansion is performed on the command line after it has been split into words. There are seven kinds
of expansion performed: brace expansion, tilde expansion, parameter and variable expansion, command
substitution, arithmetic expansion, word splitting, and pathname expansion.

Only brace expansion, word splitting, and pathname expansion can change the number of words of the
expansion; other expansions expand a single word to a single word. The only exceptions to this are
the expansions of "$@" and "${name[@]}" as explained above (see PARAMETERS).

Word Splitting

The shell scans the results of parameter expansion, command substitution, and arithmetic expansion
that did not occur within double quotes for word splitting.

Quote Removal

After the preceding expansions, all unquoted occurrences of the characters \, ', and " that did not
result from one of the above expansions are removed.

Leave a Comment

tech