fix(plugins): fix potential command injection in rand-quote and hitokoto

The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.

Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.
This commit is contained in:
Marc Cornellà 2021-11-09 09:31:09 +01:00
parent a263cdac9c
commit 72928432f1
No known key found for this signature in database
GPG key ID: 0314585E776A9C1B
2 changed files with 27 additions and 14 deletions

View file

@ -1,14 +1,18 @@
if ! (( $+commands[curl] )); then if ! (( $+commands[curl] )); then
echo "hitokoto plugin needs curl to work" >&2 echo "hitokoto plugin needs curl to work" >&2
return return
fi fi
function hitokoto { function hitokoto {
emulate -L zsh setopt localoptions nopromptsubst
Q=$(curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | jq -j '.hitokoto+"\t"+.from')
TXT=$(echo "$Q" | awk -F '\t' '{print $1}') # Get hitokoto data
WHO=$(echo "$Q" | awk -F '\t' '{print $2}') local -a data
data=("${(ps:\n:)"$(command curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | command jq -j '.hitokoto+"\n"+.from')"}")
[[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”" # Exit if could not fetch hitokoto
[[ -n "$data" ]] || return 0
local quote="${data[1]}" author="${data[2]}"
print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
} }

View file

@ -1,14 +1,23 @@
if ! (( $+commands[curl] )); then if ! (( $+commands[curl] )); then
echo "rand-quote plugin needs curl to work" >&2 echo "rand-quote plugin needs curl to work" >&2
return return
fi fi
function quote { function quote {
emulate -L zsh setopt localoptions nopromptsubst
Q=$(curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" | iconv -c -f ISO-8859-1 -t UTF-8 | grep -m 1 "dt ")
TXT=$(echo "$Q" | sed -e 's/<\/dt>.*//g' -e 's/.*html//g' -e 's/^[^a-zA-Z]*//' -e 's/<\/a..*$//g') # Get random quote data
WHO=$(echo "$Q" | sed -e 's/.*\/quotes\///g' -e 's/<.*//g' -e 's/.*">//g') local data
data="$(command curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" \
| iconv -c -f ISO-8859-1 -t UTF-8 \
| command grep -a -m 1 'dt class="quote"')"
[[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”" # Exit if could not fetch random quote
[[ -n "$data" ]] || return 0
local quote author
quote=$(sed -e 's|</dt>.*||g' -e 's|.*html||g' -e 's|^[^a-zA-Z]*||' -e 's|</a..*$||g' <<< "$data")
author=$(sed -e 's|.*/quotes/||g' -e 's|<.*||g' -e 's|.*">||g' <<< "$data")
print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
} }