From 69e29378915d53655d8fa8dc181b6cf526754569 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
Date: Fri, 11 Feb 2022 19:51:52 +0100
Subject: [PATCH 1/4] fix(updater): fix input check on non-interactive runs

Reference: https://www.zsh.org/mla/users/2022/msg00067.html
---
 tools/check_for_upgrade.sh | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tools/check_for_upgrade.sh b/tools/check_for_upgrade.sh
index 33f30c85a..a36aecb84 100644
--- a/tools/check_for_upgrade.sh
+++ b/tools/check_for_upgrade.sh
@@ -95,13 +95,21 @@ function has_typed_input() {
   emulate -L zsh
   zmodload zsh/zselect
 
+  # Back up stty settings prior to disabling canonical mode
+  # Consider that no input can be typed if stty fails
+  # (this might happen if stdin is not a terminal)
+  local termios
+  termios=$(stty --save 2>/dev/null) || return 1
   {
-    local termios=$(stty --save)
+    # Disable canonical mode so that typed input counts
+    # regardless of whether Enter was pressed
     stty -icanon
 
+    # Poll stdin (fd 0) for data ready to be read
     zselect -t 0 -r 0
     return $?
   } always {
+    # Restore stty settings
     stty $termios
   }
 }

From 5fad26ca4fae7169f5bba8fa6718d58cb2c0bd20 Mon Sep 17 00:00:00 2001
From: Carlo Sala <carlosalag@protonmail.com>
Date: Fri, 11 Feb 2022 20:45:09 +0100
Subject: [PATCH 2/4] feat(ripgrep): update `rg` completion to v13.0.0 (#10687)

Source: https://github.com/BurntSushi/ripgrep/blob/13.0.0/complete/_rg
---
 plugins/ripgrep/README.md | 4 ----
 plugins/ripgrep/_ripgrep  | 4 +++-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/plugins/ripgrep/README.md b/plugins/ripgrep/README.md
index a26f45823..ab9d04116 100644
--- a/plugins/ripgrep/README.md
+++ b/plugins/ripgrep/README.md
@@ -7,7 +7,3 @@ To use it, add `ripgrep` to the plugins array in your zshrc file:
 ```zsh
 plugins=(... ripgrep)
 ```
-
-Completion is taken from the ripgrep release [`12.1.1`](https://github.com/BurntSushi/ripgrep/releases/tag/12.1.1).
-
-Updated on April 1st, 2021.
diff --git a/plugins/ripgrep/_ripgrep b/plugins/ripgrep/_ripgrep
index 828a6e601..31bc697c7 100644
--- a/plugins/ripgrep/_ripgrep
+++ b/plugins/ripgrep/_ripgrep
@@ -121,7 +121,7 @@ _rg() {
     "(pretty-vimgrep)--no-heading[don't show matches grouped by file name]"
 
     + '(hidden)' # Hidden-file options
-    '--hidden[search hidden files and directories]'
+    {-.,--hidden}'[search hidden files and directories]'
     $no"--no-hidden[don't search hidden files and directories]"
 
     + '(hybrid)' # hybrid regex options
@@ -303,6 +303,8 @@ _rg() {
     '--context-separator=[specify string used to separate non-continuous context lines in output]:separator'
     $no"--no-context-separator[don't print context separators]"
     '--debug[show debug messages]'
+    '--field-context-separator[set string to delimit fields in context lines]'
+    '--field-match-separator[set string to delimit fields in matching lines]'
     '--trace[show more verbose debug messages]'
     '--dfa-size-limit=[specify upper size limit of generated DFA]:DFA size (bytes)'
     "(1 stats)--files[show each file that would be searched (but don't search)]"

From 02b52a03a5a78362c57d75c507240f69d4260d9a Mon Sep 17 00:00:00 2001
From: Carlo Sala <carlosalag@protonmail.com>
Date: Fri, 11 Feb 2022 21:47:44 +0100
Subject: [PATCH 3/4] feat(fd): update `fd` completion to v8.3.2 (#10688)

Source: https://github.com/sharkdp/fd/blob/v8.3.2/contrib/completion/_fd
---
 plugins/fd/README.md | 4 ----
 plugins/fd/_fd       | 9 +++++++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/plugins/fd/README.md b/plugins/fd/README.md
index cf9f7815d..f3341612f 100644
--- a/plugins/fd/README.md
+++ b/plugins/fd/README.md
@@ -7,7 +7,3 @@ To use it, add `fd` to the plugins array in your zshrc file:
 ```zsh
 plugins=(... fd)
 ```
-
-Completion is taken from the fd release [`8.2.1`](https://github.com/sharkdp/fd/releases/tag/v8.2.1).
-
-Updated on April 1st, 2021.
diff --git a/plugins/fd/_fd b/plugins/fd/_fd
index f5d9e01d2..45b8ca477 100644
--- a/plugins/fd/_fd
+++ b/plugins/fd/_fd
@@ -1,4 +1,4 @@
-#compdef fd fdfind
+#compdef fd
 
 ##
 # zsh completion function for fd
@@ -57,6 +57,7 @@ _fd() {
     + no-ignore-partial # some ignore files
     "(no-ignore-full --no-ignore-vcs)--no-ignore-vcs[don't respect .gitignore files]"
     "!(no-ignore-full --no-global-ignore-file)--no-global-ignore-file[don't respect the global ignore file]"
+    $no'(no-ignore-full --no-ignore-parent)--no-ignore-parent[]'
 
     + '(case)' # case-sensitivity
     {-s,--case-sensitive}'[perform a case-sensitive search]'
@@ -138,6 +139,7 @@ _fd() {
     + '(exec-cmds)' # execute command
     '(long-listing max-results)'{-x+,--exec=}'[execute command for each search result]:command: _command_names -e:*\;::program arguments: _normal'
     '(long-listing max-results)'{-X+,--exec-batch=}'[execute command for all search results at once]:command: _command_names -e:*\;::program arguments: _normal'
+    '(long-listing max-results)--batch-size=[max number of args for each -X call]:size'
 
     + other
     '!(--max-buffer-time)--max-buffer-time=[set amount of time to buffer before showing output]:time (ms)'
@@ -153,6 +155,9 @@ _fd() {
     $no'(--base-directory)--base-directory=[change the current working directory to the given path]:directory:_files -/'
     $no'(*)*--search-path=[set search path (instead of positional <path> arguments)]:directory:_files -/'
 
+    + strip-cwd-prefix
+    $no'(strip-cwd-prefix exec-cmds)--strip-cwd-prefix[Strip ./ prefix when output is redirected]'
+
     + args # positional arguments
     '1: :_guard "^-*" pattern'
     '(--search-path)*:directory:_files -/'
@@ -220,7 +225,7 @@ _fd() {
 _fd "$@"
 
 # ------------------------------------------------------------------------------
-# Copyright (c) 2011 Github zsh-users - http://github.com/zsh-users
+# Copyright (c) 2011 GitHub zsh-users - http://github.com/zsh-users
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

From ef3f7c43a91eb2c90098843b0ee9193bb52cdc96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
Date: Sun, 13 Feb 2022 18:59:27 +0100
Subject: [PATCH 4/4] fix: apply workaround patch for vcs_info (CVE-2021-45444)

This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.

With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.

Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.

[1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790
---
 lib/vcs_info.zsh | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 lib/vcs_info.zsh

diff --git a/lib/vcs_info.zsh b/lib/vcs_info.zsh
new file mode 100644
index 000000000..01dcd90b6
--- /dev/null
+++ b/lib/vcs_info.zsh
@@ -0,0 +1,50 @@
+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
+autoload -Uz is-at-least
+if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
+  return
+fi
+
+# Quote necessary $hook_com[<field>] items just before they are used
+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
+# function, where <field> is:
+#
+#   base:       the full path of the repository's root directory.
+#   base-name:  the name of the repository's root directory.
+#   branch:     the name of the currently checked out branch.
+#   misc:       a string that may contain anything the vcs_info backend wants.
+#   revision:   an identifier of the currently checked out revision.
+#   subdir:     the path of the current directory relative to the
+#               repository's root directory.
+#
+# This patch %-quotes these fields previous to their use in vcs_info hooks and
+# the zformat call and, eventually, when they get expanded in the prompt.
+# It's important to quote these here, and not later after hooks have modified the
+# fields, because then we could be quoting % characters from valid prompt sequences,
+# like %F{color}, %B, etc.
+#
+#  32   │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+#  33   │ hook_com[subdir_orig]="${hook_com[subdir]}"
+#  34   │
+#  35 + │ for tmp in base base-name branch misc revision subdir; do
+#  36 + │     hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
+#  37 + │ done
+#  38 + │
+#  39   │ VCS_INFO_hook 'post-backend'
+#
+# This is especially important so that no command substitution is performed
+# due to malicious input as a consequence of CVE-2021-45444, which affects
+# zsh versions from 5.0.3 to 5.8.
+#
+autoload -Uz +X regexp-replace VCS_INFO_formats
+
+# We use $tmp here because it's already a local variable in VCS_INFO_formats
+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
+# Unique string to avoid reapplying the patch if this code gets called twice
+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
+# Only patch the VCS_INFO_formats function if not already patched
+if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
+  regexp-replace 'functions[VCS_INFO_formats]' \
+    "VCS_INFO_hook 'post-backend'" \
+    ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
+fi
+unset PATCH PATCH_ID