fix(global): transform with-nth with fzf>= 0.69

[ibhagwan]

fix #2515

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue related to fzf's --with-nth option, specifically for versions 0.69 and above. It refines the global fzf configuration and introduces a mechanism to dynamically adapt the --with-nth behavior based on the active picker, ensuring proper display and functionality across different fzf-lua pickers.

Highlights

• FZF Options Update: Updated global fzf_opts to enable --with-nth with a default value of '..' and set --delimiter to tab characters.
• Dynamic --with-nth Handling: Implemented logic to dynamically adjust the --with-nth option using change-with-nth for fzf versions 0.69 and above, allowing per-picker customization.
• FZF Options Inheritance: Ensured that fzf_opts are inherited from normalized picker options, which is crucial for correctly applying --with-nth to individual picker transforms.
• Treesitter Default: Enabled _treesitter by default in the global configuration.

Changelog

• lua/fzf-lua/defaults.lua
  • Modified global fzf_opts to include --delimiter and set --with-nth to '..'
  • Enabled _treesitter by default in global settings
• lua/fzf-lua/providers/meta.lua
  • Added logic to inherit fzf_opts from normalized picker options to ensure --with-nth is available for transforms
  • Implemented dynamic change-with-nth functionality for fzf versions 0.69 and higher to adjust --with-nth per picker

Activity

• Fixed issue Bug: blines show buffer number when openeed in "global" picker #2515

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request fixes the global picker to correctly handle with-nth transformations for fzf versions 0.69 and newer. However, the implementation is vulnerable to Action Injection because the with-nth value is concatenated into the fzf action string without sanitization, potentially allowing arbitrary shell command execution via fzf's execute action. Additionally, a potential bug exists where an unavailable sub-picker could lead to a runtime error.

[gemini-code-assist]

This logic has a potential issue. If gen_def returns opts = nil (e.g., for an unavailable picker like tags when no tags file is found), def.opts will be nil.

Line 198 will then create a partial def.opts table: def.opts = { fzf_opts = {} }. When this picker is later selected, opts.__alt_opts will be set to this partial table, which will likely cause errors in actions that expect a full options table (e.g., missing cwd).

While the global picker configuration tries to provide fallbacks, it's not guaranteed that a fallback is always available. If an unavailable picker makes it into the list, this will cause a runtime error later when new_picker.contents is accessed (as it would be nil).

A safer approach would be to only perform this logic if def.opts is not nil.

      if def.opts then
        local picker_opts = config.normalize_opts(t.opts, name:gsub("^lsp_", "lsp."))
        def.opts.fzf_opts = vim.tbl_deep_extend("force", def.opts.fzf_opts or {}, picker_opts.fzf_opts)
      end

[gemini-code-assist]

The reload string for fzf's transform action is constructed by concatenating the --with-nth option without proper sanitization. If an attacker can influence the picker's configuration (e.g., via malicious options passed through a script or a shared configuration), they can inject arbitrary fzf actions. For example, a value like 1)+execute(ls) for with-nth would result in the execution of the ls command by fzf. This is an Action Injection vulnerability that leads to arbitrary command execution.