Security risk (?): Backticks in descriptions are attempted to eval!

[Enrico2]

We had a description defined like this with backticks:

description = "Runs dbmigrator --migrate on database started by `run-db-local` (eg via `:db:local:run`)."

Then in bash, I did

gradle :db:migrations[tab]

and saw:

$ gradle :db:migrations:-bash: run-db-local: command not found
-bash: :db:local:run: command not found
-bash: run-db-local: command not found
-bash: :db:local:run: command not found

Seems like this could be some attack vector, where a description could contain some malicious bash command.

[mikesamuel]

Could the problem be here?

gradle-completion/gradle-completion.bash

Lines 204 to 208 in 5c863bf

	if [[ -z "$cur" ]]; then
	cached_tasks=( $(grep -v "^:" "$cache_dir/$cached_checksum") )
	else
	cached_tasks=( $(grep "^$cur" "$cache_dir/$cached_checksum") )
	fi

IIUC that filters text like

assemble  - Assembles the outputs of this project.
bar:assemble  - Assembles the outputs of this project.
:bar:assemble  - Assembles the outputs of this project.
foo:assemble  - Assembles the outputs of this project.
:foo:assemble  - Assembles the outputs of this project

by prefix. Since it does

$( grep ... )

instead of

"$( grep ... )"

expansion may evaluate shell meta-characters.

[mikesamuel]

My bash is kind of weak right now though.

[apflieger]

Ahhh I see these things in my prompt for month now and I finally figured out this.
The gradle plugin for building IntelliJ plugin have multiple tasks that includes backticks so I get this

./gradlew -bash: robot-server: command not found
-bash: robot-server: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found
-bash: plugin.xml: command not found

It comes from the following tasks descriptions

downloadRobotServerPlugin - Download robot-server plugin.

and

patchPluginXml - Patches plugin.xml files with values provided to the task.