Are batch scripts a security vulnerability? - Chris Denton
A few weeks back a CVE landed that affected practically every language's standard library on Windows. RyotaK has a very detailed write up that you should definitely read if you haven't already: BatBadBut: You can't securely execute commands on Windows. The short version is that sending untrusted arguments to even a trusted batch script is a vulnerability because the shell gets involved before the script is even run (more on that in a sec).
However, different languages reacted to it differently:Some (like Rust) issued a fix.Some others only documented the issue.Still others did nothing at all.
A question I've been asked a fair bit since then is why there were this range of responses. I can't speak for other languages but I can try to explain why Rust considered this a library vulnerability and speculate why others may be either reluctant to patch or else not consider this critical enough to fix.
This runs script.sh with the arguments one, two and three. If you use an exec* function to execute bash, and not a shell, then the arguments are passed directly to the script.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25430170/203746_thermostats_ecobee_ebstat02.jpeg)
