From 4abd284fa4b68526d3dc918f9d4d87504044b792 Mon Sep 17 00:00:00 2001 From: Vladyslav Burzakovskyy Date: Tue, 28 May 2019 16:29:47 +0200 Subject: [PATCH] git-completion: sanitize the command names Do not declare/execute commands that contain invalid or special characters. If the autocompleted command contains illegal characters, for example when misspelling `git pull` as `git [ull`, then the user will see an error. This patch adds a character whitelist for commands that strips all but lowercase alphabetic characters and dashes, so that misspells fail silently. This patch uses the `[[` keyword that is not sh-compatible, but it's okay since the change affects BASH and ZSH-specific autocomplete scripts. Signed-off-by: Vladyslav Burzakovskyy --- contrib/completion/git-completion.bash | 1 + contrib/completion/git-completion.zsh | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash index 3eefbabdb12266..a05726b8f54d7c 100644 --- a/contrib/completion/git-completion.bash +++ b/contrib/completion/git-completion.bash @@ -2853,6 +2853,7 @@ __git_support_parseopt_helper () { __git_complete_command () { local command="$1" local completion_func="_git_${command//-/_}" + [[ "$command" =~ [^a-z-] ]] && return 1 if ! declare -f $completion_func >/dev/null 2>/dev/null && declare -f _completion_loader >/dev/null 2>/dev/null then diff --git a/contrib/completion/git-completion.zsh b/contrib/completion/git-completion.zsh index 886bf95d1f5940..851cba8148ad23 100644 --- a/contrib/completion/git-completion.zsh +++ b/contrib/completion/git-completion.zsh @@ -116,8 +116,9 @@ __git_zsh_bash_func () emulate -L ksh local command=$1 - local completion_func="_git_${command//-/_}" + + [[ "$command" =~ [^a-z-] ]] && return declare -f $completion_func >/dev/null && $completion_func && return local expansion=$(__git_aliased_command "$command")