1
0
mirror of https://github.com/dcarrillo/prezto.git synced 2024-11-20 07:31:11 +00:00
prezto/modules/prompt/functions/prompt_sorin_setup
Samantha McVey 5cd3380d9d [prompt/sorin] Fix branch code exploit vulnerability
Escape all $ except the first $. Escape all backtick `'s. This prevents
variable names or shell expansions placed as branch names from
remotely exploiting code.

Fixes issue #1267 for sorin prompt.
2017-07-05 13:06:36 -07:00

154 lines
4.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#
# A simple theme that displays relevant, contextual information.
#
# Authors:
# Sorin Ionescu <sorin.ionescu@gmail.com>
#
# Screenshots:
# http://i.imgur.com/nrGV6pg.png
#
#
# 16 Terminal Colors
# -- ---------------
# 0 black
# 1 red
# 2 green
# 3 yellow
# 4 blue
# 5 magenta
# 6 cyan
# 7 white
# 8 bright black
# 9 bright red
# 10 bright green
# 11 bright yellow
# 12 bright blue
# 13 bright magenta
# 14 bright cyan
# 15 bright white
#
# Load dependencies.
pmodload 'helper'
prompt_sorin_git_info() {
if (( _prompt_sorin_precmd_async_pid > 0 )); then
# Append Git status.
if [[ -s "$_prompt_sorin_precmd_async_data" ]]; then
alias typeset='typeset -g'
source "$_prompt_sorin_precmd_async_data"
RPROMPT+='${git_info:+${(e)git_info[status]}}'
unalias typeset
fi
# Reset PID.
_prompt_sorin_precmd_async_pid=0
# Redisplay prompt.
zle && zle reset-prompt
fi
}
function prompt_sorin_precmd_async {
# Get Git repository information.
if (( $+functions[git-info] )); then
git-info
### TODO XXX
# This section exists to patch over vulnerabilities when sourcing the
# file in $_prompt_sorin_precmd_async_data. Without it if a branch is named
# $foo it will expand if we have a $foo variable, and a branch named
# $(IFS=_;cmd=rm_-rf_~;$cmd) could delete the users home directory.
# This is a stopgap to prevent code execution and fix the vulnerability,
# but it eventually needs to be removed in favor of zsh_async and not using
# a file to store the prompt data in.
###
local tmp_prompt_var=$(typeset -p git_info)
# Replace all $ with $\ to escape
tmp_prompt_var=${tmp_prompt_var//\$/\\$}
# Unescape the first \$ as it's our $( )
tmp_prompt_var=${tmp_prompt_var:s/\\$/\$}
# Escape all backticks ` to \`
tmp_prompt_var=${tmp_prompt_var//\`/\\\`}
printf "%s\n" "$tmp_prompt_var" >! "$_prompt_sorin_precmd_async_data"
fi
# Signal completion to parent process.
kill -WINCH $$
}
function prompt_sorin_precmd {
setopt LOCAL_OPTIONS
unsetopt XTRACE KSH_ARRAYS
# Format PWD.
_prompt_sorin_pwd=$(promptpwd)
# Define prompts.
RPROMPT='${editor_info[overwrite]}%(?:: %F{1}⏎%f)${VIM:+" %B%F{6}V%f%b"}'
# Kill the old process of slow commands if it is still running.
if (( _prompt_sorin_precmd_async_pid > 0 )); then
kill -KILL "$_prompt_sorin_precmd_async_pid" &>/dev/null
fi
# Compute slow commands in the background.
trap prompt_sorin_git_info WINCH
prompt_sorin_precmd_async &!
_prompt_sorin_precmd_async_pid=$!
}
function prompt_sorin_setup {
setopt LOCAL_OPTIONS
unsetopt XTRACE KSH_ARRAYS
prompt_opts=(cr percent subst)
_prompt_sorin_precmd_async_pid=0
_prompt_sorin_precmd_async_data=$(mktemp "${TMPDIR:-/tmp}/sorin-prompt-async-XXXXXXXXXX")
# Load required functions.
autoload -Uz add-zsh-hook
# Add hook for calling git-info before each command.
add-zsh-hook precmd prompt_sorin_precmd
# Set editor-info parameters.
zstyle ':prezto:module:editor:info:completing' format '%B%F{7}...%f%b'
zstyle ':prezto:module:editor:info:keymap:primary' format ' %B%F{1}%F{3}%F{2}%f%b'
zstyle ':prezto:module:editor:info:keymap:primary:overwrite' format ' %F{3}♺%f'
zstyle ':prezto:module:editor:info:keymap:alternate' format ' %B%F{2}%F{3}%F{1}%f%b'
# Set git-info parameters.
zstyle ':prezto:module:git:info' verbose 'yes'
zstyle ':prezto:module:git:info:action' format '%F{7}:%f%%B%F{9}%s%f%%b'
zstyle ':prezto:module:git:info:added' format ' %%B%F{2}✚%f%%b'
zstyle ':prezto:module:git:info:ahead' format ' %%B%F{13}⬆%f%%b'
zstyle ':prezto:module:git:info:behind' format ' %%B%F{13}⬇%f%%b'
zstyle ':prezto:module:git:info:branch' format ' %%B%F{2}%b%f%%b'
zstyle ':prezto:module:git:info:commit' format ' %%B%F{3}%.7c%f%%b'
zstyle ':prezto:module:git:info:deleted' format ' %%B%F{1}✖%f%%b'
zstyle ':prezto:module:git:info:modified' format ' %%B%F{4}✱%f%%b'
zstyle ':prezto:module:git:info:position' format ' %%B%F{13}%p%f%%b'
zstyle ':prezto:module:git:info:renamed' format ' %%B%F{5}➜%f%%b'
zstyle ':prezto:module:git:info:stashed' format ' %%B%F{6}✭%f%%b'
zstyle ':prezto:module:git:info:unmerged' format ' %%B%F{3}═%f%%b'
zstyle ':prezto:module:git:info:untracked' format ' %%B%F{7}◼%f%%b'
zstyle ':prezto:module:git:info:keys' format \
'status' '$(coalesce "%b" "%p" "%c")%s%A%B%S%a%d%m%r%U%u'
# Define prompts.
PROMPT='${SSH_TTY:+"%F{9}%n%f%F{7}@%f%F{3}%m%f "}%F{4}${_prompt_sorin_pwd}%(!. %B%F{1}#%f%b.)${editor_info[keymap]} '
RPROMPT=''
SPROMPT='zsh: correct %F{1}%R%f to %F{2}%r%f [nyae]? '
}
function prompt_sorin_preview {
local +h PROMPT=''
local +h RPROMPT=''
local +h SPROMPT=''
editor-info 2>/dev/null
prompt_preview_theme 'sorin'
}
prompt_sorin_setup "$@"