$ echo 'user1:::::/home/user1:/bin/sh' > passwd.txt
$ ./cdwdoc-2023-001_sample_dir3.sh user1
/home/user1

$ echo 'user2:::::/home/user1/../../root:/bin/sh' >> passwd.txt
$ ./cdwdoc-2023-001_sample_dir3.sh user2
error: invalid dir

$ printf 'user3:::::/home/user1/' >> passwd.txt
$ yes '../' | head -43685 | tr -d '\n' >> passwd.txt
$ printf 'root:/bin/sh\n' >> passwd.txt
$ ./cdwdoc-2023-001_sample_dir3.sh user3
./cdwdoc-2023-001_sample_dir3.sh: 9: /bin/echo: Argument list too long
/root

This code extracts a string from passwd.txt in the current directory and finally passes it to `realpath`. before passing it to `realpath`, the string is checked. In the example that will be shown, it is assumed that `/home/user1` exists. `passwd.txt` is a bit like `/etc/passwd` and is intended for data where the first column is the user name and the sixth column is the directory. ``` $ echo 'user1:::::/home/user1:/bin/sh' > passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user1 /home/user1 ``` So what happens if the sixth column is something like "/home/user1/../../root"? ``` $ echo 'user2:::::/home/user1/../../root:/bin/sh' >> passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user2 error: invalid dir ``` It is properly recognized as fraudulent. So what happens when we do this? ``` $ printf 'user3:::::/home/user1/' >> passwd.txt $ yes '../' | head -43685 | tr -d '\n' >> passwd.txt $ printf 'root:/bin/sh\n' >> passwd.txt $ ./cdwdoc-2023-001_sample_dir3.sh user3 ./cdwdoc-2023-001_sample_dir3.sh: 9: /bin/echo: Argument list too long /root ``` We got a "/root" output. When trying `cdwdoc-2023-001_sample_dir.sh` as a stand-alone script from a terminal, the user trying it is themselves affected by the ARG_MAX limit. In the case of `cdwdoc-2023-001_sample_dir3.sh`, the attackers themselves may not be affected by the ARG_MAX limit. `cdwdoc-2023-001_sample_dir.sh` is here: https://gitlab.com/-/snippets/2487375