diff --git a/.github/workflows/branches.yml b/.github/workflows/branches.yml index b745893..333242b 100644 --- a/.github/workflows/branches.yml +++ b/.github/workflows/branches.yml @@ -19,7 +19,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out the repository under $GITHUB_WORKSPACE, so the job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 # fetch all history for all branches and tags diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e79c8eb..148ad61 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,10 +30,12 @@ jobs: build: name: Build Project runs-on: windows-latest - + permissions: + contents: write + discussions: write steps: - name: Check out repository code (Action from GitHub) - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bca11e9..0710ed0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -3,20 +3,25 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# + name: "CodeQL" on: push: branches: [ "master" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' pull_request: # The branches below must be a subset of the branches above branches: [ "master" ] + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' schedule: - cron: '30 19 * * 0' @@ -40,7 +45,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ed34599..6fceff3 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,9 +4,19 @@ on: push: branches: - master + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' pull_request: branches: - master + paths-ignore: + - '**/*.md' + - '**/*.txt' + - '.github/**' + - '**/.gitignore' defaults: run: @@ -26,7 +36,7 @@ jobs: continue-on-error: false steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Initialize vendors shell: pwsh working-directory: scripts diff --git a/.github/workflows/vendor.yml b/.github/workflows/vendor.yml index e01155f..4b96280 100644 --- a/.github/workflows/vendor.yml +++ b/.github/workflows/vendor.yml @@ -24,7 +24,7 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8a8128d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.3.x | :white_check_mark: | +| < 1.3 | ❎ | + +## Reporting a Vulnerability + +If you discover a security issue in our project, please report it to [MartiUK](https://github.com/MartiUK). We will acknowledge your email within 24 hours and provide a more detailed response within 48 hours. We will try to fix the issue as soon as possible and inform you when a new version is released. + +Please include as much of the information listed below as you can to help us better understand and resolve the issue: + +- The nature of the issue +- The affected source file(s) with full paths +- The location of the vulnerable code (tag/branch/commit or direct URL) +- Any special configuration needed to reproduce the issue +- Detailed steps to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- The impact of the issue, including how an attacker could exploit it + +Please do not disclose the vulnerability publicly until we have resolved it. diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 968a381..0000000 --- a/appveyor.yml +++ /dev/null @@ -1,60 +0,0 @@ -#---------------------------------# -# general configuration # -#---------------------------------# - -version: 1.0.{build}-{branch} - -# branches to build -branches: - # blacklist - except: - - gh-pages - -#---------------------------------# -# environment configuration # -#---------------------------------# - -# Operating system (build VM template) -os: Visual Studio 2022 - -#---------------------------------# -# build configuration # -#---------------------------------# - -build_script: - - ps: cd scripts; .\build.ps1 -Compile -verbose - -after_build: - - ps: .\pack.ps1 -verbose - -# Disable test search, since we don't have any. -test: off - -#---------------------------------# -# artifacts # -#---------------------------------# - -artifacts: - - path: build\cmder.zip - name: cmderzip - - - path: build\cmder.7z - name: cmder7z - - - path: build\cmder_mini.zip - name: cmdermini - - - path: build\hashes.txt - name: hashes - -#---------------------------------# -# notifications # -#---------------------------------# - -notifications: - # Webhook - - provider: Webhook - url: https://webhooks.gitter.im/e/d673abb1b2e659dcd625 - on_build_success: true - on_build_failure: true - on_build_status_changed: true diff --git a/vendor/clink.lua b/vendor/clink.lua index 83ef0c0..0593ae1 100644 --- a/vendor/clink.lua +++ b/vendor/clink.lua @@ -51,11 +51,37 @@ local function get_unknown_color() end --- --- Makes a string safe to use as the replacement in string.gsub +-- Escapes special characters in a string.gsub `find` parameter, so that it +-- can be matched as a literal plain text string, i.e. disable Lua pattern +-- matching. See "Patterns" (https://www.lua.org/manual/5.2/manual.html#6.4.1). +-- @param {string} text Text to escape +-- @returns {string} Escaped text --- -local function verbatim(s) - s = string.gsub(s, "%%", "%%%%") - return s +local function escape_gsub_find_arg(text) + return text and text:gsub("([-+*?.%%()%[%]$^])", "%%%1") or "" +end + +--- +-- Escapes special characters in a string.gsub `replace` parameter, so that it +-- can be replaced as a literal plain text string, i.e. disable Lua pattern +-- matching. See "Patterns" (https://www.lua.org/manual/5.2/manual.html#6.4.1). +-- @param {string} text Text to escape +-- @returns {string} Escaped text +--- +local function escape_gsub_replace_arg(text) + return text and text:gsub("%%", "%%%%") or "" +end + +--- +-- Perform string.sub, but disable Lua pattern matching and just treat both +-- the `find` and `replace` parameters as a literal plain text replacement. +-- @param {string} str Text in which to perform find and replace +-- @param {string} find Text to find (plain text; not a Lua pattern) +-- @param {string} replace Replacement text (plain text; not a Lua pattern) +-- @returns {string} Copy of the input `str` with `find` replaced by `replace` +--- +local function gsub_plain(str, find, replace) + return string.gsub(str, escape_gsub_find_arg(find), escape_gsub_replace_arg(replace)) end -- Extracts only the folder name from the input Path @@ -153,7 +179,7 @@ local function set_prompt_filter() end if prompt_useHomeSymbol and string.find(cwd, clink.get_env("HOME")) then - cwd = string.gsub(cwd, clink.get_env("HOME"), prompt_homeSymbol) + cwd = gsub_plain(cwd, clink.get_env("HOME"), prompt_homeSymbol) end local uah = '' @@ -176,14 +202,14 @@ local function set_prompt_filter() local version_control = prompt_includeVersionControl and "{git}{hg}{svn}" or "" local prompt = "{uah}{cwd}" .. version_control .. cr .. get_lamb_color() .. "{env}{lamb}\x1b[0m " - prompt = string.gsub(prompt, "{uah}", uah) - prompt = string.gsub(prompt, "{cwd}", cwd) - prompt = string.gsub(prompt, "{env}", env) - clink.prompt.value = string.gsub(prompt, "{lamb}", prompt_lambSymbol) + prompt = gsub_plain(prompt, "{uah}", uah) + prompt = gsub_plain(prompt, "{cwd}", cwd) + prompt = gsub_plain(prompt, "{env}", env) + clink.prompt.value = gsub_plain(prompt, "{lamb}", prompt_lambSymbol) end local function percent_prompt_filter() - clink.prompt.value = string.gsub(clink.prompt.value, "{percent}", "%%") + clink.prompt.value = gsub_plain(clink.prompt.value, "{percent}", "%") end --- @@ -532,13 +558,13 @@ local function git_prompt_filter() color = colors.conflict end - clink.prompt.value = string.gsub(clink.prompt.value, "{git}", " "..color.."("..verbatim(branch)..")") + clink.prompt.value = gsub_plain(clink.prompt.value, "{git}", " "..color.."("..branch..")") return false end end -- No git present or not in git file - clink.prompt.value = string.gsub(clink.prompt.value, "{git}", "") + clink.prompt.value = gsub_plain(clink.prompt.value, "{git}", "") return false end @@ -577,13 +603,13 @@ local function hg_prompt_filter() end local result = color .. "(" .. branch .. ")" - clink.prompt.value = string.gsub(clink.prompt.value, "{hg}", " "..verbatim(result)) + clink.prompt.value = gsub_plain(clink.prompt.value, "{hg}", " "..result) return false end end -- No hg present or not in hg repo - clink.prompt.value = string.gsub(clink.prompt.value, "{hg}", "") + clink.prompt.value = gsub_plain(clink.prompt.value, "{hg}", "") end local function svn_prompt_filter() @@ -636,13 +662,13 @@ local function svn_prompt_filter() color = colors.dirty end - clink.prompt.value = string.gsub(clink.prompt.value, "{svn}", " "..color.."("..verbatim(branch)..")") + clink.prompt.value = gsub_plain(clink.prompt.value, "{svn}", " "..color.."("..branch..")") return false end end -- No svn present or not in svn file - clink.prompt.value = string.gsub(clink.prompt.value, "{svn}", "") + clink.prompt.value = gsub_plain(clink.prompt.value, "{svn}", "") return false end diff --git a/vendor/init.bat b/vendor/init.bat index 027f710..1799ae4 100644 --- a/vendor/init.bat +++ b/vendor/init.bat @@ -153,7 +153,8 @@ if not "%CMDER_SHELL%" == "cmd" ( set CMDER_ALIASES=0 ) -:: Pick right version of Clink +:: Pick the right version of Clink +:: TODO: Support for ARM if "%PROCESSOR_ARCHITECTURE%"=="x86" ( set clink_architecture=x86 set architecture_bits=32 @@ -166,7 +167,7 @@ if "%PROCESSOR_ARCHITECTURE%"=="x86" ( ) if "%CMDER_CLINK%" == "1" ( - REM TODO: If clink is already injected, goto :CLINK_FINISH + REM TODO: Detect if clink is already injected, if so goto :CLINK_FINISH goto :INJECT_CLINK ) @@ -205,8 +206,10 @@ goto :SKIP_CLINK "%CMDER_ROOT%\vendor\clink\clink_%clink_architecture%.exe" inject --quiet --profile "%CMDER_CONFIG_DIR%" --scripts "%CMDER_ROOT%\vendor" - if errorlevel 1 ( - %print_error% "Clink initialization has failed with error code: %errorlevel%" + :: Check if a fatal error occurred when trying to inject Clink + if errorlevel 2 ( + REM %print_error% "Clink injection has failed with error code: %errorlevel%" + goto :SKIP_CLINK ) goto :CLINK_FINISH @@ -237,8 +240,8 @@ if "%CMDER_CONFIGURED%" GTR "1" ( :: Prepare for git-for-windows :: Detect which git.exe version to use -:: * if the users points as to a specific git, use that -:: * test if a git is in path and if yes, use that +:: * if the user points to a specific git, use that +:: * test if git is in path and if yes, use that :: * last, use our vendored git :: also check that we have a recent enough version of git by examining the version string if defined GIT_INSTALL_ROOT ( diff --git a/vendor/sources.json b/vendor/sources.json index 0bd8563..7ae42a9 100644 --- a/vendor/sources.json +++ b/vendor/sources.json @@ -1,22 +1,22 @@ [ { "name": "git-for-windows", - "version": "2.40.1.windows.1", - "url": "https://github.com/git-for-windows/git/releases/download/v2.40.1.windows.1/PortableGit-2.40.1-64-bit.7z.exe" + "version": "2.41.0.windows.3", + "url": "https://github.com/git-for-windows/git/releases/download/v2.41.0.windows.3/PortableGit-2.41.0.3-64-bit.7z.exe" }, { "name": "clink", - "version": "1.4.24", - "url": "https://github.com/chrisant996/clink/releases/download/v1.4.24/clink.1.4.24.688975.zip" + "version": "1.5.1", + "url": "https://github.com/chrisant996/clink/releases/download/v1.5.1/clink.1.5.1.1e9e51.zip" }, { "name": "conemu-maximus5", - "version": "22.12.18", - "url": "https://github.com/Maximus5/ConEmu/releases/download/v22.12.18/ConEmuPack.221218.7z" + "version": "23.07.24", + "url": "https://github.com/Maximus5/ConEmu/releases/download/v23.07.24/ConEmuPack.230724.7z" }, { "name": "clink-completions", - "version": "0.4.8", - "url": "https://github.com/vladimir-kotikov/clink-completions/archive/v0.4.8.zip" + "version": "0.4.10", + "url": "https://github.com/vladimir-kotikov/clink-completions/archive/v0.4.10.zip" } ]