fix(themes): fix potential command injection in pygmalion, `pygmali…

…on-virtualenv` and `refined` The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information which results in a double evaluation of this information, so a malicious git repository could trigger a command injection if the user cloned and entered the repository. A similar method could be used in the refined theme. All themes have been patched against this vulnerability.
457452950 · Nov 11, 2021 · b3ba997 · b3ba997
1 parent 7292843
commit b3ba997
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/themes/pygmalion-virtualenv.zsh-theme b/themes/pygmalion-virtualenv.zsh-theme
@@ -35,19 +35,20 @@ prompt_setup_pygmalion(){
 }
 
 prompt_pygmalion_precmd(){
-  setopt localoptions extendedglob
+  setopt localoptions nopromptsubst extendedglob
 
   local gitinfo=$(git_prompt_info)
   local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
-  local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
+  local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
   local prompt_length=${#exp_nocolor}
 
+  # add new line on prompt longer than 40 characters
   local nl=""
-
   if [[ $prompt_length -gt 40 ]]; then
-    nl=$'\n%{\r%}';
+    nl=$'\n%{\r%}'
   fi
-  PROMPT="$base_prompt$gitinfo$nl$post_prompt"
+
+  PROMPT="${base_prompt}\$(git_prompt_info)${nl}${post_prompt}"
 }
 
 prompt_setup_pygmalion
diff --git a/themes/pygmalion.zsh-theme b/themes/pygmalion.zsh-theme
@@ -19,14 +19,14 @@ prompt_setup_pygmalion(){
 }
 
 prompt_pygmalion_precmd(){
-  setopt localoptions extendedglob
+  setopt localoptions nopromptsubst extendedglob
 
   local gitinfo=$(git_prompt_info)
   local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
-  local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
+  local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
   local prompt_length=${#exp_nocolor}
 
-  PROMPT="${base_prompt}${gitinfo}${post_prompt}"
+  PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
 }
 
 prompt_setup_pygmalion
diff --git a/themes/refined.zsh-theme b/themes/refined.zsh-theme
@@ -70,6 +70,7 @@ preexec() {
 # Output additional information about paths, repos and exec time
 #
 precmd() {
+    setopt localoptions nopromptsubst
     vcs_info # Get version control info before we start outputting stuff
     print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f"
     unset cmd_timestamp #Reset cmd exec time.