cmdjail VS JDK

AD: Huh! I just wrote a utility cmd [1] this weekend to deal with restricting ssh keys to executing only commands that match a rule set via `ForceCommand` in `sshd_config` or `Command=""` in `authorized_keys`. I'm curious to see how susceptible it is to the aforementioned issues, it does delegate to ` -c ''` under the hood [2], but there are checks to ensure only a single command option argument `--` is passed (to mitigate metacharacter expansions) [3].

Note this tool is only intended to be another layer in security.

[1] https://github.com/endiangroup/cmdjail

Java has a bunch of code which looks like it's trying to do the right kind of escaping for msvcrt vs cmd.exe:

https://github.com/openjdk/jdk/blob/jdk-26%2B1/src/java.base...

But i would be lying if i said i understood what was going on there. Some googling suggests this was added around 1.7, ie in the early 2010s.

But then, that Rust CVE seems to originate in this work, and this guy claims Java said "won't fix", which suggests it is vulnerable:

https://flatt.tech/research/posts/batbadbut-you-cant-securel...

But there's no link, and i can't find any discussion about it, so i don't know what the actual situation is.

> if javac involves IR, SSA based analysis and transformation (which I assume it does)

https://github.com/openjdk/jdk/blob/master/src/jdk.compiler/...

I am fairly certain that it does not. I wrote a compiler for a simple programming language that compiled down to JVM for a project in the early 2010s. Its output was as fast as the Java one because they were fairly similar when you compared the generated bytecode. The HotSpot JVM is where all the optimization effort is applied.

Not sure how accurate/non-outdated though.

https://github.com/openjdk/jdk/blob/master/src/hotspot/share...

Modern Hotspot can autovectorize at the very least.

A handler for treating .zip (and .jar and .tar ...) files as if they were a volume mounted at /home/user/foo.zip - e.g. https://github.com/openjdk/jdk/blob/jdk-21-ga/src/java.base/...

It may be easier to reason about when thinking of the way $(mount -o loop) works with .iso files -- a file that is a container for other files that one can mount as if it were a filesystem

I was expecting pathlib in Python <https://docs.python.org/3/library/pathlib.html> to have one since a lot of Python distributions ship the standard library in .zip files but evidently not. Python gonna Python in that way

Firefox actually used to ship with that same "jar:" protocol handler, too, and I made good use of it for reading the javadoc html which was shipped inside zip files and was indescribably easier than trying to manage all the .html files in a Java 8 SDK distribution