Sanitized parameters for hyprctl dispatch and hyprctl eval

[im117]

The problem

With the Lua syntax for hyprctl commands, it is harder to defend against code injection attacks than with hyprlang. This is because, while we can use the built-in bash input sanitization with the hyprlang config syntax, the hyprctl syntax used with Lua is more complicated. I have the following code for renaming a workspace using a dialog:

#!/bin/bash

# get the active workspace
ACTIVE_WORKSPACE="$(hyprctl -j activeworkspace)"

# open the rename dialog to get the new name
OLD_NAME="$(echo "$ACTIVE_WORKSPACE" | jq -r .name)"
echo "$OLD_NAME"
NEW_NAME="$(
  zenity --entry --title='Enter new name' --text='' --entry-text="$OLD_NAME" || echo "$OLD_NAME"
)"

# rename the workspace if dialog not cancelled
hyprctl dispatch "hl.dsp.workspace.rename({ workspace = \"$(echo "$ACTIVE_WORKSPACE" | jq .id)\", name = \"$NEW_NAME\" })"

I got this code after rewriting a script to do a similar thing with Hyprlang. Unlike the old script, this script has a clear code injection risk. For example, if I put the following value into the Zenity dialog:

", name = (function() hl.exec_cmd("walker"); end)(), name = "

The walker command will get executed. The intended behavior is that the workspace gets renamed to the above string.

The old script used with hyprlang for your reference:

#!/bin/bash

# get the active workspace
ACTIVE_WORKSPACE="$(hyprctl -j activeworkspace)"

# open the rename dialog to get the new name
OLD_NAME="$(echo "$ACTIVE_WORKSPACE" | jq -r .name)"
echo "$OLD_NAME"
NEW_NAME="$(
	zenity --entry --title='Enter new name' --text='' --entry-text="$OLD_NAME" || echo "$OLD_NAME"
	)"

# rename the workspace if dialog not cancelled
hyprctl dispatch renameworkspace "$(echo "$ACTIVE_WORKSPACE" | jq .id) $NEW_NAME"

The proposed feature

It would be easier for me to implement the new script correctly if I could do something like this. The args array refers to arguments passed after the raw dispatcher code. We could also implement something similar with eval.

hyprctl dispatch "hl.dsp.workspace.rename({ workspace = args[1], name = args[2] })" "$(echo $ACTIVE_WORKSPACE | jq .id)" "$NEW_NAME"