From 07f5e776dcc30887198024408331919a86c8ed05 Mon Sep 17 00:00:00 2001 From: aarondill Date: Wed, 5 Jul 2023 14:38:56 -0500 Subject: [PATCH] improve safety while using variables with utilities by passing `--` This pattern *is* POSIX defined (see [here](https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap12.html#tag_12_02)): ``` Guideline 10: The first -- argument that is not an option-argument should be accepted as a delimiter indicating the end of options. Any following arguments should be treated as operands, even if they begin with the '-' character. ``` This ensures that odd values for _bin_name, _bin_dir, and others aren't treated as options to the command and cause a failure. --- install.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/install.sh b/install.sh index 21da57b..892b1d4 100755 --- a/install.sh +++ b/install.sh @@ -143,8 +143,8 @@ main() { # Install binary. # shellcheck disable=SC2086 # The lack of quoting is intentional. This may not be the best way to do it, but it's hard to properly do in POSIX { - ensure ${_sudo} cp "${_bin_name}" "${_bin_dir}" - ensure ${_sudo} chmod +x "${_bin_dir}/${_bin_name}" + ensure ${_sudo} cp -- "${_bin_name}" "${_bin_dir}" + ensure ${_sudo} chmod +x -- "${_bin_dir}/${_bin_name}" } log "Installed zoxide to ${_bin_dir}" @@ -165,9 +165,9 @@ main() { # shellcheck disable=SC2086 # The lack of quoting is intentional. { if ! [ -d "${_man_dir}/man1/" ]; then - ensure ${_sudo} mkdir -p "${_man_dir}/man1/" + ensure ${_sudo} mkdir -p -- "${_man_dir}/man1/" fi - ensure ${_sudo} cp "man/man1/"* "${_man_dir}/man1/" + ensure ${_sudo} cp -- "man/man1/"* "${_man_dir}/man1/" } log "Installed manpages to ${_man_dir}" @@ -200,11 +200,11 @@ download_zoxide() { local _releases_url="https://api.github.com/repos/ajeetdsouza/zoxide/releases/latest" local _releases case "${_dld}" in - curl) _releases="$(curl -sL "${_releases_url}")" || + curl) _releases="$(curl -sSfL -- "${_releases_url}")" || abort "curl: failed to download ${_releases_url}" ;; - wget) _releases="$(wget -qO- "${_releases_url}")" || + wget) _releases="$(wget -qO- -- "${_releases_url}")" || abort "wget: failed to download ${_releases_url}" ;; - fetch) _releases="$(fetch --quiet "${_releases_url}")" || + fetch) _releases="$(fetch --quiet -- "${_releases_url}")" || abort "fetch: failed to download ${_releases_url}" ;; *) abort "unsupported downloader: ${_dld}" ;; esac @@ -212,7 +212,7 @@ download_zoxide() { abort "you have exceeded GitHub's API rate limit. Please try again later, or use a different installation method: https://github.com/ajeetdsouza/zoxide/#installation" local _package_url - _package_url="$(printf "%s" "${_releases}" | grep "browser_download_url" | cut -d '"' -f 4 | grep "${_arch}")" || + _package_url="$(printf "%s" "${_releases}" | grep "browser_download_url" | cut -d '"' -f 4 | grep -F -- "${_arch}")" || abort "zoxide has not yet been packaged for your architecture (${_arch}), please file an issue: https://github.com/ajeetdsouza/zoxide/issues" local _ext @@ -224,9 +224,9 @@ download_zoxide() { local _package="zoxide.${_ext}" case "${_dld}" in - curl) _releases="$(curl -sLo "${_package}" "${_package_url}")" || abort "curl: failed to download ${_package_url}" ;; - wget) _releases="$(wget -qO "${_package}" "${_package_url}")" || abort "wget: failed to download ${_package_url}" ;; - fetch) _releases="$(fetch --quiet --output="${_package}" "${_package_url}")" || abort "fetch: failed to download ${_package_url}" ;; + curl) _releases="$(curl -sLo "${_package}" -- "${_package_url}")" || abort "curl: failed to download ${_package_url}" ;; + wget) _releases="$(wget -qO "${_package}" -- "${_package_url}")" || abort "wget: failed to download ${_package_url}" ;; + fetch) _releases="$(fetch --quiet --output="${_package}" -- "${_package_url}")" || abort "fetch: failed to download ${_package_url}" ;; *) abort "unsupported downloader: ${_dld}" ;; esac @@ -473,8 +473,8 @@ test_writeable() { abort "BUG: test_writeable requires a path to test." fi path="$1/test.txt" - if touch "${path}" 2>/dev/null; then - rm "${path}" + if touch -- "${path}" 2>/dev/null; then + rm -- "${path}" return 0 else return 1 @@ -495,7 +495,7 @@ need_cmd() { fi } -has_cmd() { command -v "$1" >/dev/null 2>&1; } +has_cmd() { command -v -- "$1" >/dev/null 2>&1; } # parse the arguments passed and set the environment variables accordingly parse_args() {