From 838c084b50909a015aa7ced9730b9c531079bd99 Mon Sep 17 00:00:00 2001
From: Johannes Schlatow <johannes.schlatow@genode-labs.com>
Date: Thu, 12 Sep 2024 10:59:48 +0200
Subject: [PATCH] run/sculpt: confirm command execution

In order to prevent untrusted goarc files to execute malicious commands
via target_opt(sculpt-cmd), users must confirm the command execution
interactively.

genodelabs/goa#99
---
 share/goa/lib/run/sculpt.tcl | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/share/goa/lib/run/sculpt.tcl b/share/goa/lib/run/sculpt.tcl
index 00fed9a..8951005 100644
--- a/share/goa/lib/run/sculpt.tcl
+++ b/share/goa/lib/run/sculpt.tcl
@@ -71,8 +71,20 @@ proc run_genode { } {
 	if {[info exists target_opt($target-cmd)]} {
 		set    opt_cmd "SERVER=$host;"
 		append opt_cmd {*}$target_opt($target-cmd)
-		spawn sh -c "$opt_cmd"
-		set cmd_spawn_id $spawn_id
+
+		# ask user for confirmation before spawning optional command
+		send_user "Do you want to run '$opt_cmd'? \[Y/n]: "
+		set choice [expect_user {
+			-nocase n { expr 0 }
+			-nocase y { expr 1 }
+			-re "\n"  { expr 1 }
+			timeout   { expr 0 }
+		}]
+
+		if {$choice} {
+			spawn sh -c "$opt_cmd"
+			set cmd_spawn_id $spawn_id
+		}
 	}
 
 	eval spawn -noecho telnet $host $port_telnet