fix: bb shell injections

Author: AztecBot

barretenberg/cpp/src/barretenberg/api/exec_pipe.hpp

@@ -5,9 +5,15 @@
 #include <cstring>
 #include <memory>
 #include <vector>
+#include <filesystem>
+#include <random>
+#include <string>
+#include <sstream>
 
 namespace bb {
-inline std::vector<uint8_t> exec_pipe([[maybe_unused]] const std::string& command)
+
+// Unsafe version - renamed to make it clear this is dangerous
+inline std::vector<uint8_t> exec_pipe_unsafe([[maybe_unused]] const std::string& command)
 {
 #ifdef __wasm__
     throw_or_abort("Can't use popen() in wasm! Implement this functionality natively.");
@@ -27,4 +33,101 @@ inline std::vector<uint8_t> exec_pipe([[maybe_unused]] const std::string& comman
     return output;
 #endif
 }
+
+// Tag type to mark string literals as safe
+template<size_t N>
+struct literal_string {
+    constexpr literal_string(const char (&str)[N]) {
+        std::copy_n(str, N, value);
+    }
+    char value[N];
+};
+
+// Helper to check if a type is a literal_string
+template<typename T>
+struct is_literal_string : std::false_type {};
+
+template<size_t N>
+struct is_literal_string<literal_string<N>> : std::true_type {};
+
+template<typename T>
+inline constexpr bool is_literal_string_v = is_literal_string<T>::value;
+
+// Concept to ensure arguments are safe for command construction
+template<typename T>
+concept SafeCommandArg = std::is_arithmetic_v<std::decay_t<T>> || is_literal_string_v<std::decay_t<T>>;
+
+// Safe exec_pipe_safe that builds command from literal strings and numbers
+template<SafeCommandArg... Args>
+inline std::vector<uint8_t> exec_pipe_safe(Args... args) {
+    std::ostringstream command;
+    auto append = [&command](auto&& arg) {
+        using T = std::decay_t<decltype(arg)>;
+        if constexpr (std::is_arithmetic_v<T>) {
+            command << arg;
+        } else {
+            command << arg.value;
+        }
+    };
+    (append(args), ...);
+    return exec_pipe_unsafe(command.str());
+}
+
+// RAII class for creating temporary symlinks to safely pass file paths to shell commands
+class SafePathSymlink {
+    std::filesystem::path symlink_path;
+    bool created = false;
+
+    static uint64_t get_random_suffix() {
+        // Thread-local RNG for performance
+        static thread_local std::random_device rd;
+        static thread_local std::mt19937_64 gen(rd());
+        static thread_local std::uniform_int_distribution<uint64_t> dis(100000, 99999999);
+        return dis(gen);
+    }
+
+public:
+    explicit SafePathSymlink(const std::string& target_path) {
+        // Generate random temporary symlink name
+        std::filesystem::path temp_dir = std::filesystem::temp_directory_path();
+        std::string random_name = "bb_safe_" + std::to_string(get_random_suffix());
+        symlink_path = temp_dir / random_name;
+        
+        // Create symlink
+        std::error_code ec;
+        std::filesystem::create_symlink(target_path, symlink_path, ec);
+        if (ec) {
+            throw_or_abort("Failed to create temporary symlink: " + ec.message());
+        }
+        created = true;
+    }
+    
+    ~SafePathSymlink() {
+        if (created) {
+            std::error_code ec;
+            std::filesystem::remove(symlink_path, ec);
+        }
+    }
+    
+    // Delete copy and move operations - only needed as stack variable in exec_pipe_with_path
+    SafePathSymlink(const SafePathSymlink&) = delete;
+    SafePathSymlink& operator=(const SafePathSymlink&) = delete;
+    SafePathSymlink(SafePathSymlink&&) = delete;
+    SafePathSymlink& operator=(SafePathSymlink&&) = delete;
+    
+    std::string path() const {
+        return symlink_path.string();
+    }
+};
+
+// Helper function to execute a command with a safe file path (requires literal string prefixes)
+template<size_t N1, size_t N2 = 1>
+inline std::vector<uint8_t> exec_pipe_with_path(const char (&command_prefix)[N1], 
+                                                 const std::string& file_path,
+                                                 const char (&command_suffix)[N2] = "") {
+    SafePathSymlink safe_path(file_path);
+    std::string command = std::string(command_prefix) + safe_path.path() + std::string(command_suffix);
+    return exec_pipe_unsafe(command);
+}
+
 } // namespace bb

barretenberg/cpp/src/barretenberg/api/get_bytecode.hpp

@@ -9,8 +9,7 @@
  */
 inline std::vector<uint8_t> gunzip(const std::string& path)
 {
-    std::string command = "gunzip -c \"" + path + "\"";
-    return bb::exec_pipe(command);
+    return bb::exec_pipe_with_path("gunzip -c ", path);
 }
 
 inline std::vector<uint8_t> get_bytecode(const std::string& bytecodePath)
@@ -21,8 +20,7 @@ inline std::vector<uint8_t> get_bytecode(const std::string& bytecodePath)
     std::filesystem::path filePath = bytecodePath;
     if (filePath.extension() == ".json") {
         // Try reading json files as if they are a Nargo build artifact
-        std::string command = "jq -r '.bytecode' \"" + bytecodePath + "\" | base64 -d | gunzip -c";
-        return bb::exec_pipe(command);
+        return bb::exec_pipe_with_path("jq -r '.bytecode' ", bytecodePath, " | base64 -d | gunzip -c");
     }
 
     // For other extensions, assume file is a raw ACIR program

barretenberg/cpp/src/barretenberg/dsl/acir_format/acir_integration.test.cpp

@@ -21,13 +21,11 @@ class AcirIntegrationTest : public ::testing::Test {
         std::filesystem::path filePath = bytecodePath;
         if (filePath.extension() == ".json") {
             // Try reading json files as if they are a Nargo build artifact
-            std::string command = "jq -r '.bytecode' \"" + bytecodePath + "\" | base64 -d | gunzip -c";
-            return exec_pipe(command);
+            return exec_pipe_with_path("jq -r '.bytecode' ", bytecodePath, " | base64 -d | gunzip -c");
         }
 
         // For other extensions, assume file is a raw ACIR program
-        std::string command = "gunzip -c \"" + bytecodePath + "\"";
-        return exec_pipe(command);
+        return exec_pipe_with_path("gunzip -c ", bytecodePath);
     }
 
     // Function to check if a file exists

barretenberg/cpp/src/barretenberg/srs/factories/get_bn254_crs.cpp

@@ -8,12 +8,10 @@ std::vector<uint8_t> download_bn254_g1_data(size_t num_points)
 {
     size_t g1_end = num_points * sizeof(bb::g1::affine_element) - 1;
 
-    std::string url = "https://crs.aztec.network/g1.dat";
-
-    // IMPORTANT: this currently uses a shell, DO NOT let user-controlled strings here.
-    std::string command = "curl -H \"Range: bytes=0-" + std::to_string(g1_end) + "\" '" + url + "'";
-
-    auto data = bb::exec_pipe(command);
+    // Safe command construction with numeric interpolation and hardcoded URL
+    auto data = bb::exec_pipe_safe(literal_string("curl -H \"Range: bytes=0-"), 
+                                   g1_end, 
+                                   literal_string("\" 'https://crs.aztec.network/g1.dat'"));
     // Header + num_points * sizeof point.
     if (data.size() < g1_end) {
         throw_or_abort("Failed to download g1 data.");
@@ -24,10 +22,8 @@ std::vector<uint8_t> download_bn254_g1_data(size_t num_points)
 
 std::vector<uint8_t> download_bn254_g2_data()
 {
-    std::string url = "https://crs.aztec.network/g2.dat";
-    // IMPORTANT: this currently uses a shell, DO NOT let user-controlled strings here.
-    std::string command = "curl '" + url + "'";
-    return bb::exec_pipe(command);
+    // Safe command with hardcoded URL - using exec_pipe_safe with single literal
+    return bb::exec_pipe_safe(literal_string("curl 'https://crs.aztec.network/g2.dat'"));
 }
 } // namespace
 

barretenberg/cpp/src/barretenberg/srs/factories/get_grumpkin_crs.cpp

@@ -9,12 +9,11 @@ namespace {
 std::vector<uint8_t> download_grumpkin_g1_data(size_t num_points)
 {
     size_t g1_end = num_points * sizeof(bb::curve::Grumpkin::AffineElement) - 1;
-    std::string url = "https://crs.aztec.network/grumpkin_g1.dat";
 
-    // IMPORTANT: this currently uses a shell, DO NOT let user-controlled strings here.
-    std::string command = "curl -s -H \"Range: bytes=0-" + std::to_string(g1_end) + "\" '" + url + "'";
-
-    auto data = bb::exec_pipe(command);
+    // Safe command construction with numeric interpolation and hardcoded URL
+    auto data = bb::exec_pipe_safe(literal_string("curl -s -H \"Range: bytes=0-"), 
+                                   g1_end, 
+                                   literal_string("\" 'https://crs.aztec.network/grumpkin_g1.dat'"));
     if (data.size() < g1_end) {
         THROW std::runtime_error("Failed to download grumpkin g1 data.");
     }