0

I am working on an existing shell script code which has eval. I feel like that eval is unnecessary here and wanted to remove to avoid Injection.

Could you please check the code and advise why there is an eval in the code.

FILE_PATH=`echo $1 | awk '{ print $10 }' | cut -f2 -d'"'
FILE_PATH=`(eval "echo ${FILE_PATH}")`
Grizzly
  • 5,873
  • 8
  • 56
  • 109
radhakrishnan
  • 3
  • 1

1 Answers1

0

if $1 is something like that ---"~/tttttttt.txt. FILE_PATH will be ~/tttttttt.txt without eval.

but with eval;

FILE_PATH will be /home/user/tttttttt.txt



#!/bin/bash
path='-----"~/tttttttt.txt'
FILE_PATH=`echo $path | awk '{ print $1 }' | cut -f2 -d'"'`
echo "${FILE_PATH}"
ls -lart  ${FILE_PATH}
FILE_PATH=`(eval "echo ${FILE_PATH}")`
echo $FILE_PATH
ls -lart  ${FILE_PATH}

if run above script, output: 

~/tttttttt.txt
ls: cannot access ~/tttttttt.txt: No such file or directory
/home/user/tttttttt.txt
-rw-rw-r-- 1 user user 0 Aug 26 15:54 /home/user/tttttttt.txt
Mustafa DOGRU
  • 3,994
  • 1
  • 16
  • 24
  • `eval` is considered unsafe *because* it requires you to make assumptions about `$path` that you can't enforce. `eval` will let you expand the `~`, but it will also execute a command if `$path` is something like `rm -rf /`. – chepner Aug 26 '16 at 16:04
  • Yes. $1 contains value like $TOP/bin; It has to be evaluate to get the absolute path. My requirement is to eradicate 'eval' command. Is there any alternate for this? I tried all the scenarios in http://stackoverflow.com/questions/17529220/why-should-eval-be-avoided-in-bash-and-what-should-i-use-instead ; But no luck – radhakrishnan Aug 29 '16 at 12:14