From 84ee96c64fe643651eb6220717ad2250ec169a10 Mon Sep 17 00:00:00 2001 From: Chris Antos Date: Mon, 10 Jul 2023 18:07:53 -0700 Subject: [PATCH 1/8] Fix #2859; script error when cwd name contains `%` The `string.gsub()` function in Lua always uses Lua patterns (which are similar to regular expressions). Cmder's custom prompt wants to perform simple plain text find/replace operations on strings. `string.gsub()` is the right Lua function for that, but since it always uses Lua patterns it's necessary to apply escaping to the input strings otherwise they can get misinterpreted and cause runtime errors. For example, if the current working directory name contains a percent sign, such as literally "My%20Home". This change fixes that. It introduces a helper function `gsub_plain()` which behaves like `string.gsub()` but applies appropriate escaping to convert the plain text input strings into the corresponding Lua patterns so that it can achieve plain text find/replace operations. It also introduces separate helper functions for escaping the `find` and `replace` parameters for `string.gsub()`, since they have different escaping rules. --- vendor/clink.lua | 58 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/vendor/clink.lua b/vendor/clink.lua index 83ef0c0..0593ae1 100644 --- a/vendor/clink.lua +++ b/vendor/clink.lua @@ -51,11 +51,37 @@ local function get_unknown_color() end --- --- Makes a string safe to use as the replacement in string.gsub +-- Escapes special characters in a string.gsub `find` parameter, so that it +-- can be matched as a literal plain text string, i.e. disable Lua pattern +-- matching. See "Patterns" (https://www.lua.org/manual/5.2/manual.html#6.4.1). +-- @param {string} text Text to escape +-- @returns {string} Escaped text --- -local function verbatim(s) - s = string.gsub(s, "%%", "%%%%") - return s +local function escape_gsub_find_arg(text) + return text and text:gsub("([-+*?.%%()%[%]$^])", "%%%1") or "" +end + +--- +-- Escapes special characters in a string.gsub `replace` parameter, so that it +-- can be replaced as a literal plain text string, i.e. disable Lua pattern +-- matching. See "Patterns" (https://www.lua.org/manual/5.2/manual.html#6.4.1). +-- @param {string} text Text to escape +-- @returns {string} Escaped text +--- +local function escape_gsub_replace_arg(text) + return text and text:gsub("%%", "%%%%") or "" +end + +--- +-- Perform string.sub, but disable Lua pattern matching and just treat both +-- the `find` and `replace` parameters as a literal plain text replacement. +-- @param {string} str Text in which to perform find and replace +-- @param {string} find Text to find (plain text; not a Lua pattern) +-- @param {string} replace Replacement text (plain text; not a Lua pattern) +-- @returns {string} Copy of the input `str` with `find` replaced by `replace` +--- +local function gsub_plain(str, find, replace) + return string.gsub(str, escape_gsub_find_arg(find), escape_gsub_replace_arg(replace)) end -- Extracts only the folder name from the input Path @@ -153,7 +179,7 @@ local function set_prompt_filter() end if prompt_useHomeSymbol and string.find(cwd, clink.get_env("HOME")) then - cwd = string.gsub(cwd, clink.get_env("HOME"), prompt_homeSymbol) + cwd = gsub_plain(cwd, clink.get_env("HOME"), prompt_homeSymbol) end local uah = '' @@ -176,14 +202,14 @@ local function set_prompt_filter() local version_control = prompt_includeVersionControl and "{git}{hg}{svn}" or "" local prompt = "{uah}{cwd}" .. version_control .. cr .. get_lamb_color() .. "{env}{lamb}\x1b[0m " - prompt = string.gsub(prompt, "{uah}", uah) - prompt = string.gsub(prompt, "{cwd}", cwd) - prompt = string.gsub(prompt, "{env}", env) - clink.prompt.value = string.gsub(prompt, "{lamb}", prompt_lambSymbol) + prompt = gsub_plain(prompt, "{uah}", uah) + prompt = gsub_plain(prompt, "{cwd}", cwd) + prompt = gsub_plain(prompt, "{env}", env) + clink.prompt.value = gsub_plain(prompt, "{lamb}", prompt_lambSymbol) end local function percent_prompt_filter() - clink.prompt.value = string.gsub(clink.prompt.value, "{percent}", "%%") + clink.prompt.value = gsub_plain(clink.prompt.value, "{percent}", "%") end --- @@ -532,13 +558,13 @@ local function git_prompt_filter() color = colors.conflict end - clink.prompt.value = string.gsub(clink.prompt.value, "{git}", " "..color.."("..verbatim(branch)..")") + clink.prompt.value = gsub_plain(clink.prompt.value, "{git}", " "..color.."("..branch..")") return false end end -- No git present or not in git file - clink.prompt.value = string.gsub(clink.prompt.value, "{git}", "") + clink.prompt.value = gsub_plain(clink.prompt.value, "{git}", "") return false end @@ -577,13 +603,13 @@ local function hg_prompt_filter() end local result = color .. "(" .. branch .. ")" - clink.prompt.value = string.gsub(clink.prompt.value, "{hg}", " "..verbatim(result)) + clink.prompt.value = gsub_plain(clink.prompt.value, "{hg}", " "..result) return false end end -- No hg present or not in hg repo - clink.prompt.value = string.gsub(clink.prompt.value, "{hg}", "") + clink.prompt.value = gsub_plain(clink.prompt.value, "{hg}", "") end local function svn_prompt_filter() @@ -636,13 +662,13 @@ local function svn_prompt_filter() color = colors.dirty end - clink.prompt.value = string.gsub(clink.prompt.value, "{svn}", " "..color.."("..verbatim(branch)..")") + clink.prompt.value = gsub_plain(clink.prompt.value, "{svn}", " "..color.."("..branch..")") return false end end -- No svn present or not in svn file - clink.prompt.value = string.gsub(clink.prompt.value, "{svn}", "") + clink.prompt.value = gsub_plain(clink.prompt.value, "{svn}", "") return false end From 7542376213304c6490084c6c4cd9d15c18e4a598 Mon Sep 17 00:00:00 2001 From: Martin Kemp Date: Thu, 20 Jul 2023 13:56:52 +0100 Subject: [PATCH 2/8] Remove appveyor config (#2805) This should be merged after #2804 Signed-off-by: Martin Kemp --- appveyor.yml | 60 ---------------------------------------------------- 1 file changed, 60 deletions(-) delete mode 100644 appveyor.yml diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 968a381..0000000 --- a/appveyor.yml +++ /dev/null @@ -1,60 +0,0 @@ -#---------------------------------# -# general configuration # -#---------------------------------# - -version: 1.0.{build}-{branch} - -# branches to build -branches: - # blacklist - except: - - gh-pages - -#---------------------------------# -# environment configuration # -#---------------------------------# - -# Operating system (build VM template) -os: Visual Studio 2022 - -#---------------------------------# -# build configuration # -#---------------------------------# - -build_script: - - ps: cd scripts; .\build.ps1 -Compile -verbose - -after_build: - - ps: .\pack.ps1 -verbose - -# Disable test search, since we don't have any. -test: off - -#---------------------------------# -# artifacts # -#---------------------------------# - -artifacts: - - path: build\cmder.zip - name: cmderzip - - - path: build\cmder.7z - name: cmder7z - - - path: build\cmder_mini.zip - name: cmdermini - - - path: build\hashes.txt - name: hashes - -#---------------------------------# -# notifications # -#---------------------------------# - -notifications: - # Webhook - - provider: Webhook - url: https://webhooks.gitter.im/e/d673abb1b2e659dcd625 - on_build_success: true - on_build_failure: true - on_build_status_changed: true From e2168a361cbfe385f7eeb713f605d40b8f0b8e31 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 24 Jul 2023 09:29:50 +0100 Subject: [PATCH 3/8] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Update=20dependencies?= =?UTF-8?q?=20(git-for-windows=20v2.41.0.windows.3,=20clink=20v1.5.1,=20co?= =?UTF-8?q?nemu-maximus5=20v23.07.23,=20clink-completions=20v0.4.10)=20(#2?= =?UTF-8?q?850)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: DRSDavidSoft --- vendor/sources.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/vendor/sources.json b/vendor/sources.json index 0bd8563..00757a8 100644 --- a/vendor/sources.json +++ b/vendor/sources.json @@ -1,22 +1,22 @@ [ { "name": "git-for-windows", - "version": "2.40.1.windows.1", - "url": "https://github.com/git-for-windows/git/releases/download/v2.40.1.windows.1/PortableGit-2.40.1-64-bit.7z.exe" + "version": "2.41.0.windows.3", + "url": "https://github.com/git-for-windows/git/releases/download/v2.41.0.windows.3/PortableGit-2.41.0.3-64-bit.7z.exe" }, { "name": "clink", - "version": "1.4.24", - "url": "https://github.com/chrisant996/clink/releases/download/v1.4.24/clink.1.4.24.688975.zip" + "version": "1.5.1", + "url": "https://github.com/chrisant996/clink/releases/download/v1.5.1/clink.1.5.1.1e9e51.zip" }, { "name": "conemu-maximus5", - "version": "22.12.18", - "url": "https://github.com/Maximus5/ConEmu/releases/download/v22.12.18/ConEmuPack.221218.7z" + "version": "23.07.23", + "url": "https://github.com/Maximus5/ConEmu/releases/download/v23.07.23/ConEmuPack.230723.7z" }, { "name": "clink-completions", - "version": "0.4.8", - "url": "https://github.com/vladimir-kotikov/clink-completions/archive/v0.4.8.zip" + "version": "0.4.10", + "url": "https://github.com/vladimir-kotikov/clink-completions/archive/v0.4.10.zip" } ] From 9be28807cbd73e73a1944ded59cf0ba7ab78c1a9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 24 Jul 2023 14:55:59 +0100 Subject: [PATCH 4/8] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Update=20dependencies?= =?UTF-8?q?=20(conemu-maximus5=20v23.07.24)=20(#2863)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: DRSDavidSoft --- vendor/sources.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vendor/sources.json b/vendor/sources.json index 00757a8..7ae42a9 100644 --- a/vendor/sources.json +++ b/vendor/sources.json @@ -11,8 +11,8 @@ }, { "name": "conemu-maximus5", - "version": "23.07.23", - "url": "https://github.com/Maximus5/ConEmu/releases/download/v23.07.23/ConEmuPack.230723.7z" + "version": "23.07.24", + "url": "https://github.com/Maximus5/ConEmu/releases/download/v23.07.24/ConEmuPack.230724.7z" }, { "name": "clink-completions", From 5e219fe34e9182b035c2906e1e5747ec68a9d643 Mon Sep 17 00:00:00 2001 From: Martin Kemp Date: Mon, 24 Jul 2023 15:04:16 +0100 Subject: [PATCH 5/8] Update build.yml --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e79c8eb..f34f201 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,7 +30,9 @@ jobs: build: name: Build Project runs-on: windows-latest - + permissions: + contents: write + discussions: write steps: - name: Check out repository code (Action from GitHub) uses: actions/checkout@v3 From 4b0344172ace07847950d46a282a4b1a38cfdabc Mon Sep 17 00:00:00 2001 From: David Refoua Date: Tue, 25 Jul 2023 13:47:22 +0330 Subject: [PATCH 6/8] ignore github-related and markdown for tests and codeql --- .github/workflows/codeql.yml | 17 +++++++++++------ .github/workflows/tests.yml | 10 ++++++++++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bca11e9..1be9793 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -3,20 +3,25 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# + name: "CodeQL" on: push: branches: [ "master" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' pull_request: # The branches below must be a subset of the branches above branches: [ "master" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' schedule: - cron: '30 19 * * 0' diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ed34599..c2d64cf 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,9 +4,19 @@ on: push: branches: - master + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' pull_request: branches: - master + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' defaults: run: From 29650960aa9c84121d1d49ab83d59fb29a432c37 Mon Sep 17 00:00:00 2001 From: Martin Kemp Date: Thu, 27 Jul 2023 19:32:04 +0100 Subject: [PATCH 7/8] Create SECURITY.md (#2866) --- SECURITY.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..0668f01 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,22 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.3.x | :white_check_mark: | +| < 1.3 | ❎ | + +## Reporting a Vulnerability + +Please report any vulnerabilities to [MartiUK](https://github.com/MartiUK). + +Please include as much of the information listed below as you can to help us better understand and resolve the issue: + +The type of issue +Full paths of source file(s) related to the manifestation of the issue +The location of the affected source code (tag/branch/commit or direct URL) +Any special configuration required to reproduce the issue +Step-by-step instructions to reproduce the issue +Proof-of-concept or exploit code (if possible) +Impact of the issue, including how an attacker might exploit the issue From 1b9a1e5b6fd183ee3124d2710fffc1b75ab6f3e4 Mon Sep 17 00:00:00 2001 From: David Refoua Date: Fri, 28 Jul 2023 00:58:39 +0330 Subject: [PATCH 8/8] improve markdown (SECURITY.md) use bullet points to render the list correctly; improve sentences --- SECURITY.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0668f01..8a8128d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,14 +9,16 @@ ## Reporting a Vulnerability -Please report any vulnerabilities to [MartiUK](https://github.com/MartiUK). +If you discover a security issue in our project, please report it to [MartiUK](https://github.com/MartiUK). We will acknowledge your email within 24 hours and provide a more detailed response within 48 hours. We will try to fix the issue as soon as possible and inform you when a new version is released. Please include as much of the information listed below as you can to help us better understand and resolve the issue: -The type of issue -Full paths of source file(s) related to the manifestation of the issue -The location of the affected source code (tag/branch/commit or direct URL) -Any special configuration required to reproduce the issue -Step-by-step instructions to reproduce the issue -Proof-of-concept or exploit code (if possible) -Impact of the issue, including how an attacker might exploit the issue +- The nature of the issue +- The affected source file(s) with full paths +- The location of the vulnerable code (tag/branch/commit or direct URL) +- Any special configuration needed to reproduce the issue +- Detailed steps to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- The impact of the issue, including how an attacker could exploit it + +Please do not disclose the vulnerability publicly until we have resolved it.