09:58 <sdomi> question / challenge: given an associative array (`declare -A`), can passing untrusted data as a key be exploited?

09:59 <sdomi> I know it's almost always an RCE if you use regular arrays, and I wasn't able to do anything bad to associative arrays last time i tried

09:59 <sdomi> but I wonder if I missed anything

09:59 <sdomi> cc: Maja ^

10:03 <sdomi> okay i found something horrifying. setup: `declare -A meow; meow[asdf]=1; x=asdf`

10:03 <sdomi> `echo $'$x'` obviously outputs `$x`

10:04 <sdomi> `echo "${meow[$'$x']}" outputs 1

10:04 <sdomi> but only for cstrings. and only in array keys

13:39 <izabera> why is that not the same as ${meow['$x']} ?

13:40 <izabera> i don't get it at all

14:03 <mei[m]> do c-strings work as associative array keys in the first place?

16:43 <JAA> Yeah, I can't reproduce that either. And yes, $'$x' should be the same as '$x'.

16:48 <JAA> There are a bunch of quirks around arithmetic context and quoting keys, and I don't recall whether there's any non-awful safe method that works correctly across versions.

16:49 <JAA> Cf. pitfall 62

16:49 <JAA> Also `unset` and `[[ -v ... ]]`

16:50 <JAA> I haven't yet seen brokenness outside of those three contexts, but I wouldn't bet on there not being any either.

18:18 <izabera> i can reproduce

18:18 <izabera> i just don't understand it

18:24 <JAA> Oh

18:26 <JAA> It only happens when it's quoted.

18:26 <JAA> I was testing with `echo ${meow[$'$x']}` rather than `echo "${meow[$'$x']}"`.

18:27 <JAA> Ok yeah, this is cursed.