Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(plugins): fix potential command injection in rand-quote and `hi…
…tokoto`

The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.

Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.
  • Loading branch information
mcornella committed Nov 11, 2021
1 parent a263cda commit 7292843
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 14 deletions.
18 changes: 11 additions & 7 deletions plugins/hitokoto/hitokoto.plugin.zsh
@@ -1,14 +1,18 @@
if ! (( $+commands[curl] )); then
echo "hitokoto plugin needs curl to work" >&2
return
echo "hitokoto plugin needs curl to work" >&2
return
fi

function hitokoto {
emulate -L zsh
Q=$(curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | jq -j '.hitokoto+"\t"+.from')
setopt localoptions nopromptsubst

TXT=$(echo "$Q" | awk -F '\t' '{print $1}')
WHO=$(echo "$Q" | awk -F '\t' '{print $2}')
# Get hitokoto data
local -a data
data=("${(ps:\n:)"$(command curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | command jq -j '.hitokoto+"\n"+.from')"}")

[[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”"
# Exit if could not fetch hitokoto
[[ -n "$data" ]] || return 0

local quote="${data[1]}" author="${data[2]}"
print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
}
23 changes: 16 additions & 7 deletions plugins/rand-quote/rand-quote.plugin.zsh
@@ -1,14 +1,23 @@
if ! (( $+commands[curl] )); then
echo "rand-quote plugin needs curl to work" >&2
return
echo "rand-quote plugin needs curl to work" >&2
return
fi

function quote {
emulate -L zsh
Q=$(curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" | iconv -c -f ISO-8859-1 -t UTF-8 | grep -m 1 "dt ")
setopt localoptions nopromptsubst

TXT=$(echo "$Q" | sed -e 's/<\/dt>.*//g' -e 's/.*html//g' -e 's/^[^a-zA-Z]*//' -e 's/<\/a..*$//g')
WHO=$(echo "$Q" | sed -e 's/.*\/quotes\///g' -e 's/<.*//g' -e 's/.*">//g')
# Get random quote data
local data
data="$(command curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" \
| iconv -c -f ISO-8859-1 -t UTF-8 \
| command grep -a -m 1 'dt class="quote"')"

[[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”"
# Exit if could not fetch random quote
[[ -n "$data" ]] || return 0

local quote author
quote=$(sed -e 's|</dt>.*||g' -e 's|.*html||g' -e 's|^[^a-zA-Z]*||' -e 's|</a..*$||g' <<< "$data")
author=$(sed -e 's|.*/quotes/||g' -e 's|<.*||g' -e 's|.*">||g' <<< "$data")

print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
}

0 comments on commit 7292843

Please sign in to comment.