Enhance command replacer

afilina · afilina · commit abc89912ef99 · 2025-07-19T09:05:30.000-04:00
- Use functions for easier reasoning about the code.
- Compare commands to an allow list; easier to read and scalable.
- Check for unsafe tokens.
- Add default options so we don't have to repeat them in every COMMAND-OUTPUT.
- Replace eval with ${EXECUTABLE_COMMAND[@]} to prevent injections.

Example errors:

`ls -l`
ERROR: refusing to run arbitrary command: ls

`phpcs &amp;&amp; ls -l`
ERROR: refusing unsafe token: &amp;&amp;
diff --git a/build/wiki-command-replacer.sh b/build/wiki-command-replacer.sh
@@ -6,6 +6,45 @@ cd "$(dirname "$0")/.."
 
 MARKER_START='{{COMMAND-OUTPUT "'
 MARKER_END='"}}'
+ALLOWED_COMMANDS=("phpcs" "phpcbf")
+DEFAULT_OPTIONS=("--parallel=1" "--no-cache" "--no-colors" "--report-width=100" "--report=diff")
+
+tokenize_command() {
+  read -ra TOKENS <<< "$1"
+}
+
+check_allowed_commands() {
+  local cmd="${TOKENS[0]}"
+  for allowed in "${ALLOWED_COMMANDS[@]}"; do
+    [[ "$cmd" == "$allowed" ]] && return 0
+  done
+
+  echo >&2 "  ERROR: refusing to run arbitrary command: $cmd"
+  exit 1
+}
+
+validate_tokens() {
+  for token in "${TOKENS[@]}"; do
+    if [[ "$token" =~ [\;\|\&\$\<\>\`\\] ]]; then
+      echo >&2 "  ERROR: refusing unsafe token: $token"
+      exit 1
+    fi
+  done
+}
+
+add_default_options() {
+  EXECUTABLE_COMMAND=("${TOKENS[0]}" "${DEFAULT_OPTIONS[@]}" "${TOKENS[@]:1}")
+}
+
+execute_command() {
+  tokenize_command "$1"
+  check_allowed_commands
+  validate_tokens
+  add_default_options
+
+  echo >&2 "  INFO: running: ${EXECUTABLE_COMMAND[@]}"
+  ${EXECUTABLE_COMMAND[@]}
+}
 
 if [[ -z "${CI:-}" ]]; then
   # The `_wiki` directory is created in a previous GitHub Action step.
@@ -19,20 +58,10 @@ grep -lrF "${MARKER_START}" _wiki | while read -r file_to_process; do
 
   while IFS=$'\n' read -r line; do
     if [[ ${line} = ${MARKER_START}*${MARKER_END} ]]; then
-      COMMAND="${line##"${MARKER_START}"}"
-      COMMAND="${COMMAND%%"${MARKER_END}"}"
-
-      if [[ "${COMMAND}" != "phpcs "* ]] && [[ "${COMMAND}" != "phpcbf "* ]]; then
-        echo >&2 "  ERROR: refusing to run arbitrary command: ${COMMAND}"
-        exit 1
-      fi
-
-      #FIXME refuse to run commands with a semicolon / pipe / ampersand / sub-shell
+      USER_COMMAND="${line##"${MARKER_START}"}"
+      USER_COMMAND="${USER_COMMAND%%"${MARKER_END}"}"
 
-      echo >&2 "  INFO: running: ${COMMAND}"
-      (
-        eval "${COMMAND}" </dev/null || true
-      )
+      execute_command "$USER_COMMAND" </dev/null || true
     else
       echo "${line}"
     fi
