Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parameter escape allows running arbitrary commands and commands fail with valid strings #11003

Closed
MattJeanes opened this issue Oct 28, 2019 · 3 comments
Closed

Parameter escape allows running arbitrary commands and commands fail with valid strings #11003

MattJeanes opened this issue Oct 28, 2019 · 3 comments
Assignees
@arrownj @jiasli
Labels
Core CLI core infrastructure Shell - PowerShell
Milestone
S165

Comments

@MattJeanes
Copy link

MattJeanes commented Oct 28, 2019
edited
Loading

There appears to be an issue validating some strings in various commands for example when passing the string !#$%&calc as an argument. Any string ending in < also causes issues in commands.

These issues only appear to happen in a Powershell shell, I am unable to reproduce in a cmd shell. I discovered this after one of our passwords for sql db import resulted in a The system cannot find the file specified error so we have had to change the password for now to work around the issue, but this definitely doesn't seem like correct behaviour to me.

To Reproduce:

  • Open Powershell prompt (5.1)
  • az sql db import -p "!#$%&calc"
  • Calculator opens
  • az webapp get --name "!#$%&calc"
  • Calculator opens
  • az webapp get --name "xxxxx^<"
  • The syntax of the command is incorrect.
    C:\Users\matt> "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\\..\python.exe" -IBm azure.cli webapp get --name xxxxx<

Expected Behavior

  • Calculator does not open
  • Commands do not fail

Environment Summary

Windows-10-10.0.17763-SP0
Python 3.6.6
Shell: powershell.exe

azure-cli 2.0.75

Additional Context
@Juliehzl Juliehzl added Web Apps az webapp Service Attention This issue is responsible by Azure service team. labels Oct 29, 2019
@Juliehzl
Copy link
Contributor

cc @AzureAppServiceCLI @antcp

@panchagnula
Copy link
Contributor

This is not specific for Webapps command please see description to see that this happens with az sql as well. The issue is CLI is being used in PowerShell . please use a BASH window. Removing App service label.

@panchagnula panchagnula removed Service Attention This issue is responsible by Azure service team. Web Apps az webapp labels Dec 27, 2019
@yonzhan yonzhan added this to the S164 milestone Dec 27, 2019
@yonzhan yonzhan added the Core CLI core infrastructure label Dec 27, 2019
@jiasli
Copy link
Member

jiasli commented Dec 27, 2019

Thanks for elaborating the symptom. You are hitting a known issue in PowerShell which we have doc'ed at: https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_effectively.md#quoting-issues

PowerShell strips double quotes and causes the command to be parsed by CMD as:
az sql db import -p "!#$%&calc" -> az sql db import -p !#$% & calc
where & stands for a command separator.

Same for
az webapp get --name "xxxxx^<" -> az webapp get --name xxxxx^ <
where < stands for stdin redirection.

Please use --% to bypass the bug in PowerShell.

> az --% sql db import -p "!#$%&calc" --debug
Command arguments: ['sql', 'db', 'import', '-p', '!#$%&calc', '--debug']

> az --% webapp get --name "xxxxx^<" --debug
Command arguments: ['webapp', 'get', '--name', 'xxxxx^<', '--debug']

This was referenced Jan 2, 2020
Closed
Closed
@yonzhan yonzhan assigned arrownj and unassigned jiasli Jan 30, 2020
@yonzhan yonzhan modified the milestones: S164, S165 Jan 30, 2020
@jiasli jiasli self-assigned this Feb 5, 2020
@jiasli jiasli closed this as completed Feb 5, 2020
@jiasli jiasli mentioned this issue Apr 29, 2020
Merged
@jiasli jiasli mentioned this issue May 9, 2020
Merged
@jiasli jiasli mentioned this issue Oct 15, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arrownj arrownj

@jiasli jiasli

Labels
Core CLI core infrastructure Shell - PowerShell
Projects
None yet
Milestone
S165
Development

No branches or pull requests
6 participants
@MattJeanes @arrownj @jiasli @panchagnula @Juliehzl @yonzhan