Create SECURITY.md

Fix #2859; script error when cwd name contains `%`

.github/workflows/build.yml

@@ -30,7 +30,9 @@ jobs:
   build:
     name: Build Project
     runs-on: windows-latest
-
+    permissions:
+      contents: write
+      discussions: write
     steps:
     - name: Check out repository code (Action from GitHub)
       uses: actions/checkout@v3

.github/workflows/codeql.yml

@@ -3,20 +3,25 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
+
 name: "CodeQL"
 
 on:
   push:
     branches: [ "master" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '.github/**'
+      - '**/.gitignore'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ "master" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '.github/**'
+      - '**/.gitignore'
   schedule:
     - cron: '30 19 * * 0'
 

.github/workflows/tests.yml

@@ -4,9 +4,19 @@ on:
   push:
     branches:
       - master
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '.github/**'
+      - '**/.gitignore'
   pull_request:
     branches:
       - master
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '.github/**'
+      - '**/.gitignore'
 
 defaults:
   run:

SECURITY.md

@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.3.x   | :white_check_mark: |
+| < 1.3   | ❎ |
+
+## Reporting a Vulnerability
+
+Please report any vulnerabilities to [MartiUK](https://github.com/MartiUK).
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+The type of issue
+Full paths of source file(s) related to the manifestation of the issue
+The location of the affected source code (tag/branch/commit or direct URL)
+Any special configuration required to reproduce the issue
+Step-by-step instructions to reproduce the issue
+Proof-of-concept or exploit code (if possible)
+Impact of the issue, including how an attacker might exploit the issue

vendor/clink.lua

@@ -51,11 +51,37 @@ local function get_unknown_color()
 end
 
 ---
--- Makes a string safe to use as the replacement in string.gsub
+-- Escapes special characters in a string.gsub `find` parameter, so that it
+-- can be matched as a literal plain text string, i.e. disable Lua pattern
+-- matching.  See "Patterns" (https://www.lua.org/manual/5.2/manual.html#6.4.1).
+-- @param {string} text Text to escape
+-- @returns {string} Escaped text
 ---
-local function verbatim(s)
-    s = string.gsub(s, "%%", "%%%%")
-    return s
+local function escape_gsub_find_arg(text)
+    return text and text:gsub("([-+*?.%%()%[%]$^])", "%%%1") or ""
+end
+
+---
+-- Escapes special characters in a string.gsub `replace` parameter, so that it
+-- can be replaced as a literal plain text string, i.e. disable Lua pattern
+-- matching.  See "Patterns" (https://www.lua.org/manual/5.2/manual.html#6.4.1).
+-- @param {string} text Text to escape
+-- @returns {string} Escaped text
+---
+local function escape_gsub_replace_arg(text)
+    return text and text:gsub("%%", "%%%%") or ""
+end
+
+---
+-- Perform string.sub, but disable Lua pattern matching and just treat both
+-- the `find` and `replace` parameters as a literal plain text replacement.
+-- @param {string} str Text in which to perform find and replace
+-- @param {string} find Text to find (plain text; not a Lua pattern)
+-- @param {string} replace Replacement text (plain text; not a Lua pattern)
+-- @returns {string} Copy of the input `str` with `find` replaced by `replace`
+---
+local function gsub_plain(str, find, replace)
+    return string.gsub(str, escape_gsub_find_arg(find), escape_gsub_replace_arg(replace))
 end
 
 -- Extracts only the folder name from the input Path
@@ -153,7 +179,7 @@ local function set_prompt_filter()
     end
 
     if prompt_useHomeSymbol and string.find(cwd, clink.get_env("HOME")) then
-        cwd = string.gsub(cwd, clink.get_env("HOME"), prompt_homeSymbol)
+        cwd = gsub_plain(cwd, clink.get_env("HOME"), prompt_homeSymbol)
     end
 
     local uah = ''
@@ -176,14 +202,14 @@ local function set_prompt_filter()
     local version_control = prompt_includeVersionControl and "{git}{hg}{svn}" or ""
 
     local prompt = "{uah}{cwd}" .. version_control .. cr .. get_lamb_color() .. "{env}{lamb}\x1b[0m "
-    prompt = string.gsub(prompt, "{uah}", uah)
-    prompt = string.gsub(prompt, "{cwd}", cwd)
-    prompt = string.gsub(prompt, "{env}", env)
-    clink.prompt.value = string.gsub(prompt, "{lamb}", prompt_lambSymbol)
+    prompt = gsub_plain(prompt, "{uah}", uah)
+    prompt = gsub_plain(prompt, "{cwd}", cwd)
+    prompt = gsub_plain(prompt, "{env}", env)
+    clink.prompt.value = gsub_plain(prompt, "{lamb}", prompt_lambSymbol)
 end
 
 local function percent_prompt_filter()
-    clink.prompt.value = string.gsub(clink.prompt.value, "{percent}", "%%")
+    clink.prompt.value = gsub_plain(clink.prompt.value, "{percent}", "%")
 end
 
 ---
@@ -532,13 +558,13 @@ local function git_prompt_filter()
                 color = colors.conflict
             end
 
-            clink.prompt.value = string.gsub(clink.prompt.value, "{git}", " "..color.."("..verbatim(branch)..")")
+            clink.prompt.value = gsub_plain(clink.prompt.value, "{git}", " "..color.."("..branch..")")
             return false
         end
     end
 
     -- No git present or not in git file
-    clink.prompt.value = string.gsub(clink.prompt.value, "{git}", "")
+    clink.prompt.value = gsub_plain(clink.prompt.value, "{git}", "")
     return false
 end
 
@@ -577,13 +603,13 @@ local function hg_prompt_filter()
             end
 
             local result = color .. "(" .. branch .. ")"
-            clink.prompt.value = string.gsub(clink.prompt.value, "{hg}", " "..verbatim(result))
+            clink.prompt.value = gsub_plain(clink.prompt.value, "{hg}", " "..result)
             return false
         end
     end
 
     -- No hg present or not in hg repo
-    clink.prompt.value = string.gsub(clink.prompt.value, "{hg}", "")
+    clink.prompt.value = gsub_plain(clink.prompt.value, "{hg}", "")
 end
 
 local function svn_prompt_filter()
@@ -636,13 +662,13 @@ local function svn_prompt_filter()
                 color = colors.dirty
             end
 
-            clink.prompt.value = string.gsub(clink.prompt.value, "{svn}", " "..color.."("..verbatim(branch)..")")
+            clink.prompt.value = gsub_plain(clink.prompt.value, "{svn}", " "..color.."("..branch..")")
             return false
         end
     end
 
     -- No svn present or not in svn file
-    clink.prompt.value = string.gsub(clink.prompt.value, "{svn}", "")
+    clink.prompt.value = gsub_plain(clink.prompt.value, "{svn}", "")
     return false
 end
 

vendor/sources.json

@@ -11,8 +11,8 @@
   },
   {
     "name": "conemu-maximus5",
-    "version": "23.07.23",
-    "url": "https://github.com/Maximus5/ConEmu/releases/download/v23.07.23/ConEmuPack.230723.7z"
+    "version": "23.07.24",
+    "url": "https://github.com/Maximus5/ConEmu/releases/download/v23.07.24/ConEmuPack.230724.7z"
   },
   {
     "name": "clink-completions",