1
0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2024-12-23 08:13:38 +08:00
ohmyzsh/plugins/hitokoto/hitokoto.plugin.zsh
Marc Cornellà 72928432f1
fix(plugins): fix potential command injection in rand-quote and hitokoto
The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.

Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.
2021-11-11 22:45:24 +01:00

19 lines
489 B
Bash

if ! (( $+commands[curl] )); then
echo "hitokoto plugin needs curl to work" >&2
return
fi
function hitokoto {
setopt localoptions nopromptsubst
# Get hitokoto data
local -a data
data=("${(ps:\n:)"$(command curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | command jq -j '.hitokoto+"\n"+.from')"}")
# Exit if could not fetch hitokoto
[[ -n "$data" ]] || return 0
local quote="${data[1]}" author="${data[2]}"
print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
}