Shell – Do I need to encapsulate awk variables in quotes in order to sanitize them

awkquotingSecurityshellshell-script

As per an answer on stackoverflow, it's my understanding that encapsulating bash variables in double-quotes is a fairly safe way of sanitizing user input.

What about awk variables? For example, if I have something like:

awk -v SOURCEIP="$SOURCEIP" -v REVERSEDNS="$REVERSEDNS" '{
   gsub(/^_TMPSOURCEIP_/, SOURCEIP);
   gsub(/^_TMPREVERSEDNS_/, REVERSEDNS);
   print
}' /home/foo/footemplate

Should I put quotes around the variable in the gsub lines? So it would then look like:

awk -v SOURCEIP="$SOURCEIP" -v REVERSEDNS="$REVERSEDNS" '{
   gsub(/^_TMPSOURCEIP_/, "SOURCEIP");
   gsub(/^_TMPREVERSEDNS_/, "REVERSEDNS");
   print
}' /home/foo/footemplate

Or does this not make a difference?

Best Answer

These two examples demonstrate the difference:

$ echo _TMP_ | awk -v VAR='some "text"' '{ gsub(/_TMP_/, VAR) ; print }'
some "text"
$ echo _TMP_ | awk -v VAR='some "text"' '{ gsub(/_TMP_/, "VAR") ; print }'
VAR

When VAR is unquoted, awk treats it as a variable with the value some "text". When VAR is inside quotes, awk treats it as a three-character string.

MORE: bash has sanitizing issues. Consider:

$ VAR="rm important_file" ; $VAR

The above will erase important_file. In this way, bash is like a macro language: it will substitute for a variable and then try to execute the result. awk is different. Consider:

$ echo _TMP_ | awk -v VAR='var); print $1' '{ gsub(/_TMP_/, VAR) ; print }'
var); print $1

awk treats VAR like mere text, not like potential commands to execute.

Problems can arise, however, if one lets bash modify the awk script. In my examples above, the awk scripts were all in single-quotes. That prevents bash from messing with them.

Related Solutions

Improving the AWK skills

awk -v copies=3 -v spacer=_ '
  BEGIN {OFS=FS=","} 
  {
    field1 = $1
    for (i=1; i <= copies+1; i++) {
      $1 = sprintf("%s%s%03d", field1, spacer, i)
      print
    }  
    print ""
  }
'

This takes advantage of awk recalculating $0 if any of the fields change value.

Shell Script – Should Variables Be Quoted When Executed?

The problem lies in how the command is passed to the function:

$ run_this ls -l Untitled\ Document.pdf 
ls: cannot access Untitled: No such file or directory
ls: cannot access Document.pdf: No such file or directory
$ run_that ls -l Untitled\ Document.pdf 
-rw------- 1 muru muru 33879 Dec 20 11:09 Untitled Document.pdf

"$@" should be used in the general case where your run_this function is prefixed to a normally written command. run_this leads to quoting hell:

$ run_this 'ls -l Untitled\ Document.pdf'
ls: cannot access Untitled\: No such file or directory
ls: cannot access Document.pdf: No such file or directory
$ run_this 'ls -l "Untitled\ Document.pdf"'
ls: cannot access "Untitled\: No such file or directory
ls: cannot access Document.pdf": No such file or directory
$ run_this 'ls -l Untitled Document.pdf'
ls: cannot access Untitled: No such file or directory
ls: cannot access Document.pdf: No such file or directory
$ run_this 'ls -l' 'Untitled Document.pdf'
ls: cannot access Untitled: No such file or directory
ls: cannot access Document.pdf: No such file or directory

I'm not sure how I should pass a filename with spaces to run_this.

Best Answer

Related Solutions

Improving the AWK skills

Shell Script – Should Variables Be Quoted When Executed?

Related Question