2019-02-04-cli-app-design.md 15 KB
description: > Basics on secure CLI app design
title: CLI App Design
Table of Contents
- TOC {:toc}
Foundation
- Common tasks should be uncomplicated
- Restrict privileges
- Secure configuration by default
- Default behavior should be nondestructive
- Handle files as streams when possible
- Format output appropriately
- End execution gracefully
Input
Security
CLIs, like any other piece of software, must validate, sanitize, and securely handle, all input.
Sensitive input
To prevent echoing{:rel="nofollow noreferrer noopener"} data to the terminal in Ruby, we can
require "io/console"
print "valued(€): (no echo)"
sensitive = $stdin.noecho(&:gets).chomp
To get a passphrase{:rel="nofollow noreferrer noopener"} securely we can simply:
require "io/console"
phrase = $stdin.getpass "Passphrase: (no echo)"
Validation
We can use Ruby's built-in Option Parser to coerce arguments{:rel="nofollow noreferrer noopener"} into built-in objects.
require 'optparse'
require 'optparse/time'
OptionParser.new do |parser|
time_desc = "Begin execution at given time"
parser.on("-t", "--time [TIME]", Time, time_desc) do |time|
p time
end
end.parse!
which would fail when used like
$ ruby optparse-test.rb -t nonsense
... invalid argument: -t nonsense (OptionParser::InvalidArgument)
We can also build our custom validations, for instance
require "optparse"
# assuming
User = Struct.new(:id, :name)
def find_user id
not_found = ->{ raise "No User Found for id #{id}" }
[ User.new(1, "Sam"),
User.new(2, "Gandalf") ].find(not_found) do |u|
u.id == id
end
end
# we could do
op = OptionParser.new
op.accept(User) do |user_id|
find_user user_id.to_i
end
op.on("--user ID", User) do |user|
puts user
end
op.parse!
Which could result in something like
$ ruby optparse-test.rb --user 3
... `block in find_user': No User Found for id 3 (RuntimeError)
System calls
We should avoid passing user controlled input to system calls. If we do so, though, we must be aware of the nuances in the different ways of doing so in Ruby. For instance, rather than passing a system call as a single string, we pass it as a series of strings. That way Ruby takes care of escaping special characters.
s = "it's special; indeed"
system "echo", s #=> it's special; indeed
system "echo #{s}" #>> unexpected EOF while looking for matching `''
Yet, it won't escape a null byte, leaving it up to us how to handle it, eg fail gracefully, or sanitize it during input validation.
n = ['a', 'b'].pack 'HxH' #=> "\xA0\x00\xB0" # packing a null byte
system "echo", n #>> ArgumentError (string contains null byte)
require "shellwords"
e = Shellwords.escape n #=> "\\\xA0\\\x00\\\xB0"
system "echo", n #>> ArgumentError (string contains null byte)
If we want access to stdin, stdout, and stderr separately, we can
use Open3{:rel="nofollow noreferrer noopener"}
For full details on how to make system calls in Ruby we need to check the documentation for #system{:rel="nofollow noreferrer noopener"}, #exec{:rel="nofollow noreferrer noopener"}, and #spawn{:rel="nofollow noreferrer noopener"}
Path traversal prevention
Whenever we need to rely on user input to find a file, or directory, we can restrict file system access through Dir.chdir{:rel="nofollow noreferrer noopener"}, or Dir.chroot{:rel="nofollow noreferrer noopener"}
File.exist? "../../etc/passwd" #=> true
# As part of a privileged process
Dir.chroot "Dir.pwd" #=> 0
File.exist? "../../etc/passwd" #=> false
Conventions
CLIs usually come as either commands, or command suites. Here we describe the parts of a command as:
$ command --switch --flag=argument [--brackets-means-optional]
$ command --[no-]switch --flag [argument]
As shown above, switches don't take arguments, whilst flags do. A flag is connected to its argument through an equals sign or a single space.
For reference, the parts of command suite can be described as:
$ executable --global-option command --command-option
Command suites won't be considered for the rest of the note.
Options
Options refer to both, switches and flags. There are short form (-s),
and long form (--long-form) options.
Short-form options should remind us the behavior they control. As they are scarce, we should use them for common nondestructive options.
Long-forms should be as clear as possible, without skimping on letters. They are great for self-documenting scripts.
We should only make dangerous options available as long-form options.
Common options
-h, --help. Used to display the usage reference.
--version. Displays the CLI's current version. Since -v is not
consistently used as version's short form, it can be used for something
else.
--[no-]action flag with optional infix to negate an action. The negation
is usually only used in scripts to show the intent of the default setting.
Consider logging --action's execution for sensitive data.
--[no-]force enforce/disable destructive behavior such as deleting, or
overwriting, files, only through switches.
File streaming
Whenever a CLI handles a file, we should consider support for handling
more than one file at the time. Ruby includes
ARGF{:rel="nofollow noreferrer noopener"}
for file streaming.
Beware, we need to get rid of any other options in ARGV before
streaming the files.
To prevent loading files at once, we should handle them as a lazy enumerable{:rel="nofollow noreferrer noopener"} eg.
ARGF.each_line.lazy { |line| do_something line }
Don't forget to validate, and sanitize their contents.
Output
Formatting
Format the output depending on whether is meant to be displayed or used as input. For instance,
options[:format] = $stdout.tty? ? :tty : :yml
Some machine-friendly formats commonly shared are YAML, JSON, CSV.
As much as possible, stick to the safer versions of such formats.
For instance, when opting for YAML, make sure it can be loaded through
YAML.safe_load.
Streams
Transmit info through both, $stdout and $stderr. The former is meant
for streaming results, and relevant info. The later for errors, and
warnings.
Whenever we need to stream info to $stdout, or $stderr, we should
consider using IO#flush{:rel="nofollow noreferrer noopener"}
to make sure it isn't being display with a delay due to being buffered.
For instance, for progress bars.
For continuous streaming, such as logs, we might want to change the stream's sync mode{:rel="nofollow noreferrer noopener"}.
$stdout.sync = true
$stderr.sync = true
We should stick to false whenever we connect to a remote service to
reduce the likelihood of errors, though.
Security
Sanitize
As with any delivery mechanism, we may need to sanitize the info streamed
through $stdout, and $stderr, so no sensitive data is leaked. This
is specially the case when formatting the data for sharing, eg as a YAML.
Consider removing, or replace, information such as usernames, names, addresses, financial info, and so on.
Escaping characters
Most, if not all, forms of output grant special abilities to some characters. Unfortunately, these are frequently abused. Below we focus on how to stream info safely to a terminal (TTY).
ANSI escape sequences allow us to mark certain characters as commands, or metadata, such as formatting, color change, cursor position, reconfigure the keyboard, update the window title, and so on.
Nowadays, most terminal emulators interpret, at least, some of those sequences. Escape{:rel="nofollow noreferrer noopener"} all command line special characters, and ANSI escape sequences, so they may be displayed safely. Alternatively, remove them.
require "shellwords"
g = "\e[38;5;33mHi\e[0m" #=> "\e[38;5;33mHi\e[0m"
e = Shellwords.escape g #=> "\\\e\\[38\\;5\\;33mHi\\\e\\[0m"
puts g # (imagine blue text) >> Hi
puts e #>> \[38\;5\;33mHi\[0m
Beware, escaped strings aren't intended for use in double, nor single, quotes.
a = "a b, c; d *"
"this is what happens #{a.shellescape}"
#=> "this is what happens a\\ b,\\ c\\;\\ d\\ \\*"
Depending on the app, and the amount of output we need to deal with, it may be better to depend on a pager such as less(1). Make sure to read its manual to see what is actually capable of escaping.
Color
Considering the escaping characters section above, if we support coloring we should never rely exclusively on it to convey a message.
Furthermore, consider adding a --[no-]color switch, or checking the
NO_COLOR{:rel="nofollow noreferrer noopener"}
env var for users that prefer no color.
End execution
CLI apps stop processing either because they fail, succeed, or are interrupted.
Exit status
We use exit codes to report success (0; zero) or failure (non-zero).
To send the exit code we simply do exit 1, where 1 can be any number.
For zero we may call exit without arguments.
In Ruby, we can check the exit status code with
$? #=> 0
# or
require "english"
$CHILD_STATUS.exitstatus #=> 0
Document all exit status codes to help figure out what went wrong. A great starting point is OpenBSD's sysexits(3){:rel="nofollow noreferrer noopener"}
Signal traps
A signal allows the kernel to communicate asynchronously with a process. Users can send signals to processes they own, for instance
| description | key binding | signal |
|---|---|---|
| terminate process | C-c |
SIGINT |
| suspend execution | C-z |
SIGTSTP |
| quit & dump core | C-\ |
SIGQUIT |
| display info | C-t |
SIGINFO |
Usually, kill -l will list all available signals locally.
On occasion we may want to trap signals to clean, reload config, etc.
Signal.trap("SIGINT") do
FileUtils.rm_rf output_file
exit 1
end
Beware of Signal.trap caveats{:rel="nofollow noreferrer noopener"}, though.
Fail gracefully
At the time of design, we should also consider how our app is meant to fail.
Safe file operation
When a process operating on files runs into trouble such as bugs, or running out of disk space, it should ensure no file gets corrupted.
One way of doing a safe write is to put all data in a temporary file before doing any modifications. We replace the original file with the temporary one once we are done changing the latter. For instance,
require "fileutils"
require "tempfile"
def open_safely file
result = temp_file = nil
Tempfile.open do |f|
temp_file = f.path
result = yield f
end
FileUtils.move temp_file, file
result
end
This prevents partial writes, as nothing gets overwritten unless there's
a complete replacement ready. Also, there is no need for locks since
no other process should know of temp_file's existence. Since moving a
file doesn't interrupt any currently occurring access to the old file, it
also implies read safety for those still reading the out-of-date copy.
Process locking
A way to prevent running more than one instance of an app, or service, is by locking it:
- Pick a location on disk, such as
/var/run/rc.d/<app>.pidfor daemons/var/log/<app>-<service>.logfor logs/tmp/<app>-<service>-<timestamp>.tmpfor temporary services
- Lock the chosen file as soon as possible.
Whenever we can't lock the chosen file we know the app is already running, and can quit the new instance.
File locking
Whenever code is meant to handle files on disk we need to consider concurrency issues. We must take explicit steps to enforce mutually exclusive behavior. There are two ways of locking:
- Shared (non-blocking) locks
- can be hold by many processes at the same time
- ensures read integrity only
- Exclusive (blocking) locks
- can only be hold by one process at a time.
- ensures read, and write integrity.
Which can be roughly coded in Ruby as:
def access_file path, mode: "r"
File.open(path, mode, 0644) do |file|
file.flock(mode == "r" ? File::LOCK_SH : File::LOCK_EX)
yield file
ensure
file.flock(File::LOCK_UN)
end
end
Beware, the snippet above loads the entire file to memory. Also, depending on the thread model, validate files through size, MIME, extension, and other relevant metadata, before opening them to help protect against malicious files.
An advantage of locking files as shown is that, if we forget to release the lock before quitting the app, or if it crashes, the OS releases the lock.
For more details on Ruby's take on file permissions, and other details, check Open modes{:rel="nofollow noreferrer noopener"} and File constants{:rel="nofollow noreferrer noopener"} in the documentation.
Locking Considerations
UNIX-like systems don't enforce file locking by default. That is, no other application is actually blocked from writing on the locked file unless it explicitly flocks the file of interest.
Config files
Although is fairly common to expose a configuration object in Ruby, we
may also load preferences defined in formats such as YAML. Remember to
use YAML.safe_load to load configuration files, though.
Single configuration files are usually found as:
/etc/<app>/config.yml$HOME/.config/<app>.yml$HOME/.<app>rc./.<app>
When there are more than one configuration files they are usually split
/etc/<app>/<module>.yml$HOME/.config/<app>/<module>.yml$HOME/.<app>.d/<module>.yml./.config/<module>.yml
Documentation
OptionParser{:rel="nofollow noreferrer noopener"} allows us to document command line options for the help reference. To document the API, though, we may use Rdoc. Users can generate, and use it on the terminal
# Generate ri documentation
$ gem rdoc <gem_name> --ri --no-rdoc --overwrite
# List all of GemName's public methods
$ ri <GemName> -l
or as a local web page:
# Generate HTML documentation
$ gem rdoc <gem_name> --rdoc --no-ri --overwrite
# Start local server to access documentation
$ gem server
Check out the Rdoc markup{:rel="noopener"} and ri{:rel="noopener"} articles for more information.