Yehowshua/ZIm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Always single-quote directory when cd'ing to get shell env (#9145)

Browse source 
This avoids us potentially executing code (if someone were to name their
directory `$(echo you-are-pwned > /secure-files)`, for example).

Works with zsh, bash, fish, nushell. Tested locally with all of them.

Release Notes:

- N/A
This commit is contained in:
Thorsten Ball 2024-03-10 13:53:24 +01:00 committed by GitHub
parent 597465b0f5
commit f4a86e6fea
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
crates/project/src/project.rs
View file

@ -9601,7 +9601,8 @@ async fn load_shell_environment(dir: &Path) -> Result<HashMap<String, String>> {
});
let command = format!(
"cd {dir:?};{} echo {marker}; /usr/bin/env -0; exit 0;",
"cd '{}';{} echo {marker}; /usr/bin/env -0; exit 0;",
dir.display(),
additional_command.unwrap_or("")
);