fix(plugins): fix potential command injection in `rand-quote` and `hitokoto`

The `rand-quote` plugin uses quotationspage.com and prints part of its content to the shell without sanitization, which could trigger command injection. There is no evidence that this has been exploited, but this commit removes all possibility for exploit. Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the shell, also without sanitization. Furthermore, there is also no evidence that this has been exploited, but with this change it is now impossible.

fix(plugins): fix potential command injection in `rand-quote` and `hitokoto`
The `rand-quote` plugin uses quotationspage.com and prints part of its content to the shell without sanitization, which could trigger command injection. There is no evidence that this has been exploited, but this commit removes all possibility for exploit. Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the shell, also without sanitization. Furthermore, there is also no evidence that this has been exploited, but with this change it is now impossible.
72928432 · Marc Cornellà · a263cdac · 72928432 · 72928432
Unverified Commit 72928432 authored Nov 09, 2021 by Marc Cornellà
Show whitespace changes
Inline Side-by-side

Showing with 27 additions and 14 deletions

hitokoto.plugin.zsh plugins/hitokoto/hitokoto.plugin.zsh +11 -7

rand-quote.plugin.zsh plugins/rand-quote/rand-quote.plugin.zsh +16 -7

No files found.
--- a/plugins/hitokoto/hitokoto.plugin.zsh
+++ b/plugins/hitokoto/hitokoto.plugin.zsh
@@ -4,11 +4,15 @@ if ! (( $+commands[curl] )); then
 fi

 function hitokoto {
-    emulate -L zsh
-    Q=$(curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | jq -j '.hitokoto+"\t"+.from')
+  setopt localoptions nopromptsubst

-    TXT=$(echo "$Q" | awk -F '\t' '{print $1}')
-    WHO=$(echo "$Q" | awk -F '\t' '{print $2}')
+  # Get hitokoto data
+  local -a data
+  data=("${(ps:\n:)"$(command curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | command jq -j '.hitokoto+"\n"+.from')"}")

-    [[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”"
+  # Exit if could not fetch hitokoto
+  [[ -n "$data" ]] || return 0
+
+  local quote="${data[1]}" author="${data[2]}"
+  print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
 }
--- a/plugins/rand-quote/rand-quote.plugin.zsh
+++ b/plugins/rand-quote/rand-quote.plugin.zsh
@@ -4,11 +4,20 @@ if ! (( $+commands[curl] )); then
 fi

 function quote {
-    emulate -L zsh
-    Q=$(curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" | iconv -c -f ISO-8859-1 -t UTF-8 | grep -m 1 "dt ")
+  setopt localoptions nopromptsubst

-    TXT=$(echo "$Q" | sed -e 's/<\/dt>.*//g' -e 's/.*html//g' -e 's/^[^a-zA-Z]*//' -e 's/<\/a..*$//g')
-    WHO=$(echo "$Q" | sed -e 's/.*\/quotes\///g' -e 's/<.*//g' -e 's/.*">//g')
+  # Get random quote data
+  local data
+  data="$(command curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" \
+    | iconv -c -f ISO-8859-1 -t UTF-8 \
+    | command grep -a -m 1 'dt class="quote"')"

-    [[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”"
+  # Exit if could not fetch random quote
+  [[ -n "$data" ]] || return 0
+
+  local quote author
+  quote=$(sed -e 's|</dt>.*||g' -e 's|.*html||g' -e 's|^[^a-zA-Z]*||' -e 's|</a..*$||g' <<< "$data")
+  author=$(sed -e 's|.*/quotes/||g' -e 's|<.*||g' -e 's|.*">||g' <<< "$data")
+
+  print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
 }