0·
20 days agoAgreed.
Also gtfobins is a great resource in addition to shellcheck to try to make secure scripts.
For instance I felt upon a script like this recently:
#!/bin/bash
# ... some stuff ...
tar -caf archive.tar.bz2 "$@"
Quotes are OK, shellcheck is happy, but, according to gtfobins, you can abuse tar, so running the script like this:
./test.sh /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
ends up spawning an interactive shell…
So you can add up binaries insanity on top of bash’s mess.
Why do you think it’s different?