fix: quote arguments for passing to auto completion server

[kazupon]

I realized there was code in the zsh completion generation code that caused vulnerabilities.

tab/src/zsh.ts

Line 61 in d5659d5

out=$(eval \${requestComp} 2>/dev/null)

Here, the requestComp variable contains the words that the user entered on the command line (${words[2,-1]}).
The eval command reinterprets this string as a shell command and executes it.

issue point

If the user enters a string containing shell metacharacters (e.g. ;, &, |, $(), etc.) as a command line argument, eval will interpret these metacharacters as command delimiters or subcommand execution with special meaning.
This may cause unintended arbitrary commands to be executed.

example

Suppose the user types the following (name is mycli, and exec is mycli):

mycli some-command '; rm -rf ~ #'

In this case, requestComp would be a string like “mycli complete -- some-command '; rm -rf ~ #”. If eval executes this, the following commands may be executed in order.

As you can see, because the user input is not properly escaped or quoted, there is a risk that arbitrary commands could be injected by using eval.

tab case may be a rare case, but if it is input in some way, it could cause comm

[changeset-bot]

⚠️ No Changeset found

Latest commit: c416a6b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/bombshell-dev/tab@20

commit: c416a6b

[43081j]

looks good to me 👍

good catch. we should also have some tests around this eventually, I'll create a separate issue for that

[dreyfus92]

thank you @kazupon, LGTM 🫡