Revisions to Replace number from regexp capture with the output of a command using that number in sed

added 16 characters in body

Source Link

edited Nov 1, 2024 at 18:18

8.9k
2
25
42

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's"
      h         # copy input line from pattern space to hold space
      s/^.*syscall=([0-9]+[0123456789]+).*$/$(ausyscall \1)/;e   # get just the syscall number
      t match   # Conditionally jump to "match" label if above substitution succeeded
      x         #   else revert pattern space back to original input
      b end     #   and jump to "end" label
      :match
      G         # append newline + hold space to pattern space
      s/^([^\n]+)\n(.*syscall=)[0123456789]+(.*)$/echo "&"\2\1\3/e'  # replace number with syscall name
      :end
"
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So In order to mitigate any potential code-injection issues, the regex to extract the syscall number is very careful to only match numeric digits. [0-9] is not used as it could match other things in various locales. The resulting number is justthen passed to a matter of re-crafting the pattern space into something that can meaningfully beconstructed ausyscall command and executed by.

The rest of the shellsed commands are to giveensure that if there are input lines that do not contain syscall numbers, then the desired resultare left unmodified.

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in Because this case the command is reasonably safe against code-injection attacks, because the input is already validated as beingworks on strictly numeric-only. To be extra careful that nothing untoward data, it is goingstraightforward to be executedvalidate, the rest of the matching line canbut much more care must be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:taken with more general cases.

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/'/'\\\''/g; s/^([^0123456789]*)([01234567899]+)(.*)$/printf '%s%s%s' '\1' \$(ausyscall \2) '\3'/e"
a b c  syscall=openat success=yes
$

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/'/'\\\''/g; s/^([^0123456789]*)([01234567899]+)(.*)$/printf '%s%s%s' '\1' \$(ausyscall \2) '\3'/e"
a b c  syscall=openat success=yes
$

$ echo "a b c  syscall=257 success=yes" |
    sed -E "
      h         # copy input line from pattern space to hold space
      s/^.*syscall=([0123456789]+).*$/ausyscall \1/e   # get just the syscall number
      t match   # Conditionally jump to "match" label if above substitution succeeded
      x         #   else revert pattern space back to original input
      b end     #   and jump to "end" label
      :match
      G         # append newline + hold space to pattern space
      s/^([^\n]+)\n(.*syscall=)[0123456789]+(.*)$/\2\1\3/  # replace number with syscall name
      :end
"
a b c  syscall=openat success=yes
$

The e extension to s forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. In order to mitigate any potential code-injection issues, the regex to extract the syscall number is very careful to only match numeric digits. [0-9] is not used as it could match other things in various locales. The resulting number is then passed to a constructed ausyscall command and executed.

The rest of the sed commands are to ensure that if there are input lines that do not contain syscall numbers, then the are left unmodified.

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input. Because this case works on strictly numeric data, it is straightforward to validate, but much more care must be taken with more general cases.

added 16 characters in body

Source Link

edited Nov 1, 2024 at 16:14

Digital Trauma

8.9k
2
25
42

GNU sed can do this if you are willing to use the GNU sed e extension to the s command:

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Side note - Ubuntu users may install the ausyscall command by installing the auditd package:

sudo apt install auditd

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/'/'\\\''/g; s/^([^0123456789]*)([0123456789]+[01234567899]+)(.*)$/printf '%s%s%s' '\1' \$(ausyscall \2) '\3'/ee"
a b c  syscall=openat success=yes
$

GNU sed can do this if you are willing to use the GNU sed e extension to the s command:

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Side note - Ubuntu users may install the ausyscall command by installing the auditd package:

sudo apt install auditd

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/^([^0123456789]*)([0123456789]+)(.*)$/printf '%s%s%s' '\1' \$(ausyscall \2) '\3'/e
a b c  syscall=openat success=yes
$

GNU sed can do this if you are willing to use the GNU sed e extension to the s command:

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Side note - Ubuntu users may install the ausyscall command by installing the auditd package:

sudo apt install auditd

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/'/'\\\''/g; s/^([^0123456789]*)([01234567899]+)(.*)$/printf '%s%s%s' '\1' \$(ausyscall \2) '\3'/e"
a b c  syscall=openat success=yes
$

added 24 characters in body

Source Link

edited Nov 1, 2024 at 16:07

Digital Trauma

8.9k
2
25
42

GNU sed can do this if you are willing to use the GNU sed e extension to the s command:

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Side note - Ubuntu users may install the ausyscall command by installing the auditd package:

sudo apt install auditd

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/^([^0-9]*[^0123456789]*)([0-9]+[0123456789]+)(.*)$/printf '\1%s\3''%s%s%s' '\1' \$(ausyscall \2) '\3'/e"e
a b c  syscall=openat success=yes
$

GNU sed can do this if you are willing to use the GNU sed e extension to the s command:

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Side note - Ubuntu users may install the ausyscall command by installing the auditd package:

sudo apt install auditd

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/^([^0-9]*)([0-9]+)(.*)$/printf '\1%s\3' \$(ausyscall \2)/e"
a b c  syscall=openat success=yes
$

GNU sed can do this if you are willing to use the GNU sed e extension to the s command:

$ echo "a b c  syscall=257 success=yes" |
    sed -E 's/([0-9]+)/$(ausyscall \1)/; s/.*/echo "&"/e'
a b c  syscall=openat success=yes
$

The e extension to s simply forks a shell and evaluates s's resulting pattern space and replaces the pattern space with the result of the executed command. So it is just a matter of re-crafting the pattern space into something that can meaningfully be executed by the shell to give the desired result.

Side note - Ubuntu users may install the ausyscall command by installing the auditd package:

sudo apt install auditd

Note also - whenever you see the word evaluate, take this as a big warning of possible code-injection bugs. Don't use commands like this on unvetted user input.

Update:

I believe in this case the command is reasonably safe against code-injection attacks, because the input is already validated as being numeric-only. To be extra careful that nothing untoward is going to be executed, the rest of the matching line can be made into a single-quoted printf format string (I don't think any code-injection attacks possible there), and the syscall lookup as a parameter:

$ echo "a b c  syscall=257 success=yes" |
    sed -E "s/^([^0123456789]*)([0123456789]+)(.*)$/printf '%s%s%s' '\1' \$(ausyscall \2) '\3'/e
a b c  syscall=openat success=yes
$

Rollback to Revision 3

Source Link

edited Nov 1, 2024 at 16:06

Digital Trauma

8.9k
2
25
42

Loading

added 40 characters in body

Source Link

edited Nov 1, 2024 at 16:06

Digital Trauma

8.9k
2
25
42

Loading

added 594 characters in body

Source Link

edited Nov 1, 2024 at 1:38

Digital Trauma

8.9k
2
25
42

Loading

added 172 characters in body

Source Link

edited Nov 1, 2024 at 0:59

Digital Trauma

8.9k
2
25
42

Loading

Source Link

answered Nov 1, 2024 at 0:54

Digital Trauma

8.9k
2
25
42

Loading

Stack Exchange Network

Return to Answer

Update:

Update:

Update:

Update:

Update:

Update:

Update:

Update: