Harden shell scripts, fix input sanitization, and improve error handling

edgarjs · edgarjs · commit 998912d0b700 · 2026-02-05T10:33:58.000-06:00
- Fix CRITICAL CACHE_DIR bug: use ${:=} so empty plist values trigger default,
  add whitespace trimming, switch to allowlist prefix check ($HOME/.cache)
- Fix jq regex injection: replace test() with ascii_downcase+contains via --arg
- Fix search query injection: switch from denylist to allowlist sanitization
- Replace fragile tr/sed JSON assembly with jq -s slurp and jq -c output
- Add mktemp error handling, signal-safe temp file cleanup
- Add per_page=100 to /user/repos for fewer API calls with --paginate
- Add API_HOST hostname validation and jq availability check in setup.sh
- Surface API errors via stderr instead of silently suppressing with 2&gt;/dev/null
- Add final jq fallback to always output valid Alfred JSON
- Replace echo -n with printf for portability
- Add API_HOST to variablesdontexport to prevent leaking enterprise hostnames
- Fix release.yml: stricter semver tag pattern, HEAD instead of HEAD^1,
  first-tag changelog fallback
- Fix build.sh: add nullglob/dotglob for cleanup, include gh.png in artifact
- Add CACHE_DIR to info.plist variables
- Fix plist &amp;gt; → &gt; for proper blockquote rendering
- Sync README and plist readme wording fixes
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: Build and release
 on:
   push:
     tags:
-      - '*.*.*'
+      - '[0-9]+.[0-9]+.[0-9]+'
 
 jobs:
   release:
@@ -22,7 +22,13 @@ jobs:
         run: bash build.sh
 
       - name: Generate Changelog
-        run: git log $(git tag --sort=-creatordate | awk 'NR==2')..HEAD^1 --oneline --no-merges --no-decorate > CHANGELOG
+        run: |
+          prev_tag=$(git tag --sort=-creatordate | awk 'NR==2')
+          if [[ -n "$prev_tag" ]]; then
+            git log "${prev_tag}..HEAD" --oneline --no-merges --no-decorate > CHANGELOG
+          else
+            git log HEAD --oneline --no-merges --no-decorate > CHANGELOG
+          fi
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
diff --git a/README.md b/README.md
@@ -15,7 +15,7 @@ brew install gh
 ```
 
 > 💡 **Note**:  
-> The command above assume you use [Homebrew](https://brew.sh) as your package manager.
+> The command above assumes you use [Homebrew](https://brew.sh) as your package manager.
 
 ## Authentication
 
@@ -34,11 +34,11 @@ Double click on the `.alfredworkflow` file and follow the instructions.
 
 ## Usage
 
-There's a single keyword that triggers the workflow: `gh`
+The main keyword that triggers the workflow is: `gh`
 
 Then you can start typing the name of the repository you're looking for.
-It will first try to search within your user's repositories. And if no result
-is found, then it'll search in all public repositories.
+It will first fetch your repositories and filter them locally by name. If no
+match is found, it will search GitHub repositories.
 
 ```
 gh octocat/hello-world
@@ -47,23 +47,23 @@ gh octocat/hello-world
 ![Example of gh command](gh.png)
 
 When an item is highlighted, you can press Enter to open the repository's page,
-or press any of the following modifiers keys for other options:
+or press any of the following modifier keys for other options:
 
 ### Hold `Ctrl ⌃` for repository actions page
 
 Press Enter while holding down the `Ctrl` key to open the repository's actions page.
 
 ### Hold `Cmd ⌘` to see Pull Requests
 
-Press Enter while holding down the `Cmd` key to list the repository's open PR's.
+Press Enter while holding down the `Cmd` key to list the repository's open PRs.
 
-### `Option ⌥` modifier
+### Hold `Option ⌥` to copy SSH clone command
 
 Press Enter while holding down the `Option` key to copy the clone command with the repository's SSH URL.
 
-### `Shift+Option ⇧+⌥` modifier
+### Hold `Shift+Option ⇧+⌥` to copy HTTPS clone command
 
-Press Enter while holding down the `Shift+Option` keys to copy the clone command with the repository's clone URL.
+Press Enter while holding down the `Shift+Option` keys to copy the clone command with the repository's HTTPS URL.
 
 ## Configuration
 
@@ -73,17 +73,17 @@ You can configure the cache duration passed to the GitHub CLI, by setting the fo
 
 | Environment Variable | Description                              | Default           |
 | -------------------- | ---------------------------------------- | ----------------- |
-| `CACHE_PULLS`        | Cache duration for PR's API call         | `10m`             |
+| `CACHE_PULLS`        | Cache duration for PRs API call          | `10m`             |
 | `CACHE_SEARCH_REPOS` | Cache duration for repos search API call | `24h`             |
 | `CACHE_USER_REPOS`   | Cache duration for user repos API call   | `72h`             |
-| `CACHE_DIR`          | Cache directory for the the `gh` CLI     | `$HOME/.cache/gh` |
+| `CACHE_DIR`          | Directory removed by `ghclear` command   | `$HOME/.cache/gh` |
 
 > ⚠️ **Caution** ⚠️
 >
-> If you don't see your recently created repository in the results, it may be the cache duration mentioned above.
+> If you don't see your recently created repository in the results, it may be due to the cache duration mentioned above.
 >
 > Also make sure to use absolute paths if you need to customize the default.
-> Like `/Users/juan/cache` instead `$HOME/cache`
+> Like `/Users/juan/cache` instead of `$HOME/cache`
 
 To clear the cache and force a new request to the GitHub API, type this in Alfred:
 
diff --git a/build.sh b/build.sh
@@ -1,9 +1,12 @@
-#!/bin/bash -e
+#!/bin/bash
+set -euo pipefail
 
 OUTPUT="github-repos.alfredworkflow"
+rm -rf build
 mkdir -p build
-cp clear-cache.sh gh.sh icon.png info.plist pulls.sh setup.sh build/
+cp clear-cache.sh gh.sh gh.png icon.png info.plist pulls.sh setup.sh build/
 cd build
-zip $OUTPUT -r . -qq
-ls | grep -v "$OUTPUT" | xargs rm -r
+zip "$OUTPUT" -r . -qq
+shopt -s nullglob dotglob
+for f in *; do [[ "$f" != "$OUTPUT" ]] && rm -rf "$f"; done
 echo "Done -> $OUTPUT"
diff --git a/clear-cache.sh b/clear-cache.sh
@@ -1,7 +1,29 @@
 #!/bin/bash
 
-CACHE_DIR="${CACHE_DIR:-"$HOME/.cache/gh"}"
+# Use := so empty string AND unset both trigger the default
+CACHE_DIR="${CACHE_DIR:="$HOME/.cache/gh"}"
+
+# Trim whitespace
+CACHE_DIR=$(printf '%s' "$CACHE_DIR" | tr -d '[:space:]')
+
+# Resolve symlinks and .. segments to canonical path (macOS compatible)
+if [[ -d "$CACHE_DIR" ]]; then
+  CACHE_DIR=$(cd "$CACHE_DIR" && /bin/pwd -P)
+fi
+
+# Block empty, root, or home-level paths
+if [[ -z "$CACHE_DIR" || "$CACHE_DIR" == "/" ]]; then
+  printf '%s' "Error: refusing to delete unsafe path: ${CACHE_DIR}" >&2
+  exit 1
+fi
+
+# Require path is under $HOME/.cache (allowlist approach)
+expected_prefix="$HOME/.cache"
+if [[ "$CACHE_DIR" != "$expected_prefix"/* && "$CACHE_DIR" != "$expected_prefix" ]]; then
+  printf '%s' "Error: CACHE_DIR must be under ${expected_prefix}: ${CACHE_DIR}" >&2
+  exit 1
+fi
 
 rm -rf "$CACHE_DIR"
 
-echo -n "${CACHE_DIR}"
+printf '%s' "${CACHE_DIR}"
diff --git a/gh.sh b/gh.sh
@@ -1,10 +1,10 @@
 #!/bin/bash
 
-source ./setup.sh
+source "$(dirname "$0")/setup.sh"
 
 query=$1
 item=$(
-  cat <<EOF
+  cat <<'EOF'
 {
   uid: .id,
   title: .full_name,
@@ -36,23 +36,79 @@ item=$(
 EOF
 )
 
+empty_result='{"items":[]}'
+
+err=$(mktemp) || {
+  printf '%s' "$empty_result"
+  exit 0
+}
+
 repos=$(gh api /user/repos --method GET \
   -f sort=pushed \
+  -F per_page=100 \
   --hostname "$API_HOST" \
   --cache "$CACHE_USER_REPOS" \
   --paginate \
-  --jq ".[] | $item" | grep -i "$query")
-
-if [[ -z "$repos" ]]; then
-  repos=$(gh api /search/repositories --method GET \
-    --hostname "$API_HOST" \
-    -f q="$query in:name archived:false" \
-    -F per_page=9 \
-    -f sort=pushed \
-    --cache "$CACHE_SEARCH_REPOS" \
-    --jq ".items.[] | $item")
+  --jq "[.[] | $item]" 2>"$err")
+gh_exit=$?
+err_msg=$(<"$err")
+rm -f "$err"
+
+if [[ $gh_exit -ne 0 ]]; then
+  if [[ -n "$err_msg" ]]; then
+    printf '%s\n' "$err_msg" >&2
+  fi
+  printf '%s' "$empty_result"
+  exit 0
 fi
 
-items=$(echo -n "$repos" | tr '\n', ',' | sed 's/,$//')
+# --paginate outputs one JSON array per page; merge them and optionally filter
+if [[ -n "$query" ]]; then
+  # Use --arg to safely pass query into jq (no injection possible)
+  repos=$(printf '%s\n' "$repos" | jq -s --arg q "$query" \
+    '[add // [] | .[] | select(.title | ascii_downcase | contains($q | ascii_downcase))]') \
+    || repos="[]"
+else
+  repos=$(printf '%s\n' "$repos" | jq -s 'add // []') || repos="[]"
+fi
+
+# Check if we got results
+has_results=$(printf '%s' "$repos" | jq 'length > 0' 2>/dev/null)
+
+# Fall back to search if no local match and query is present
+if [[ "$has_results" != "true" && -n "$query" ]]; then
+  # Sanitize query: allowlist of safe characters only
+  safe_query=$(printf '%s' "$query" | tr -cd 'a-zA-Z0-9 ._-')
+
+  if [[ -n "$safe_query" ]]; then
+    err=$(mktemp) || {
+      printf '%s' "$empty_result"
+      exit 0
+    }
+
+    repos=$(gh api /search/repositories --method GET \
+      --hostname "$API_HOST" \
+      -f q="$safe_query in:name archived:false" \
+      -F per_page=9 \
+      -f sort=pushed \
+      --cache "$CACHE_SEARCH_REPOS" \
+      --jq "[.items[] | $item]" 2>"$err")
+    gh_exit=$?
+    err_msg=$(<"$err")
+    rm -f "$err"
+
+    if [[ $gh_exit -ne 0 ]]; then
+      if [[ -n "$err_msg" ]]; then
+        printf '%s\n' "$err_msg" >&2
+      fi
+      repos="[]"
+    fi
+  fi
+
+  if [[ -z "$repos" ]]; then
+    repos="[]"
+  fi
+fi
 
-echo -n "{\"items\":[$items]}"
+# Final output with jq fallback
+printf '%s' "$repos" | jq -c '{items: .}' 2>/dev/null || printf '%s' "$empty_result"
diff --git a/info.plist b/info.plist
@@ -384,8 +384,8 @@ Install the GitHub CLI:
 brew install gh
 ```
 
-&gt; **Note**:
-&gt; The command above assume you use [Homebrew](https://brew.sh) as your package manager.
+> **Note**:
+> The command above assumes you use [Homebrew](https://brew.sh) as your package manager.
 
 ## Authentication
 
@@ -398,11 +398,11 @@ gh auth login
 
 ## Usage
 
-There's a single keyword that triggers the workflow: `gh`
+The main keyword that triggers the workflow is: `gh`
 
 Then you can start typing the name of the repository you're looking for.
-It will first try to search within your user's repositories. And if no result
-is found, then it'll search in all public repositories.
+It will first fetch your repositories and filter them locally by name. If no
+match is found, it will search GitHub repositories.
 
 ```
 gh octocat/hello-world
@@ -411,23 +411,23 @@ gh octocat/hello-world
 ![Example of gh command](gh.png)
 
 When an item is highlighted, you can press Enter to open the repository's page,
-or press any of the following modifiers keys for other options:
+or press any of the following modifier keys for other options:
 
 ### Hold `Ctrl ⌃` for repository actions page
 
 Press Enter while holding down the `Ctrl` key to open the repository's actions page.
 
 ### Hold `Cmd ⌘` to see Pull Requests
 
-Press Enter while holding down the `Cmd` key to list the repository's open PR's.
+Press Enter while holding down the `Cmd` key to list the repository's open PRs.
 
-### `Option ⌥` modifier
+### Hold `Option ⌥` to copy SSH clone command
 
 Press Enter while holding down the `Option` key to copy the clone command with the repository's SSH URL.
 
-### `Shift+Option ⇧+⌥` modifier
+### Hold `Shift+Option ⇧+⌥` to copy HTTPS clone command
 
-Press Enter while holding down the `Shift+Option` keys to copy the clone command with the repository's clone URL.
+Press Enter while holding down the `Shift+Option` keys to copy the clone command with the repository's HTTPS URL.
 
 ## Configuration
 
@@ -437,17 +437,17 @@ You can configure the cache duration passed to the GitHub CLI, by setting the fo
 
 | Environment Variable | Description                              | Default           |
 | -------------------- | ---------------------------------------- | ----------------- |
-| `CACHE_PULLS`        | Cache duration for PR's API call         | `10m`             |
+| `CACHE_PULLS`        | Cache duration for PRs API call         | `10m`             |
 | `CACHE_SEARCH_REPOS` | Cache duration for repos search API call | `24h`             |
 | `CACHE_USER_REPOS`   | Cache duration for user repos API call   | `72h`             |
-| `CACHE_DIR`          | Cache directory for the the `gh` CLI     | `$HOME/.cache/gh` |
+| `CACHE_DIR`          | Directory removed by `ghclear` command   | `$HOME/.cache/gh` |
 
-&gt; ⚠️ **Caution** ⚠️
-&gt;
-&gt; If you don't see your recently created repository in the results, it may be the cache duration mentioned above.
-&gt;
-&gt; Also make sure to use absolute paths if you need to customize the default.
-&gt; Like `/Users/juan/cache` instead `$HOME/cache`
+> ⚠️ **Caution** ⚠️
+>
+> If you don't see your recently created repository in the results, it may be due to the cache duration mentioned above.
+>
+> Also make sure to use absolute paths if you need to customize the default.
+> Like `/Users/juan/cache` instead of `$HOME/cache`
 
 To clear the cache and force a new request to the GitHub API, type this in Alfred:
 
@@ -547,9 +547,13 @@ This project is published under the [MIT License](LICENSE.md).</string>
       <string>24h</string>
       <key>CACHE_USER_REPOS</key>
       <string>72h</string>
+      <key>CACHE_DIR</key>
+      <string></string>
     </dict>
     <key>variablesdontexport</key>
-    <array/>
+    <array>
+      <string>API_HOST</string>
+    </array>
     <key>version</key>
     <string>4.0.0</string>
     <key>webaddress</key>
diff --git a/pulls.sh b/pulls.sh
diff --git a/setup.sh b/setup.sh
