fix: prevent action execution during shell completion after double dash#2342
Open
toller892 wants to merge 1 commit into
Open
fix: prevent action execution during shell completion after double dash#2342toller892 wants to merge 1 commit into
toller892 wants to merge 1 commit into
Conversation
When a shell autocomplete script appends --generate-bash-completion to a command line that already contains "--", the completion flag was passed through to the action as a positional argument, causing the action to execute during a completion attempt. This is particularly dangerous because tab-completion could trigger side effects (e.g., file creation, network calls) without the user pressing Enter. Changes: - checkShellCompleteFlag now strips --generate-bash-completion from arguments even when "--" is present, and returns a new boolean indicating whether the completion flag was detected - RunContext returns early (without executing the action) when the completion flag was detected but shell completion is disabled - Updated tests to verify the new behavior Fixes urfave#1993
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When a shell autocomplete script appends
--generate-bash-completionto a command line that already contains--, the completion flag is passed through to the action as a positional argument, causing the action to execute during a completion attempt.This is particularly dangerous because tab-completion could trigger side effects (e.g., file creation, network calls) without the user pressing Enter.
Fixes #1993
Root Cause
PR #1938 added a check in
checkShellCompleteFlagto disable shell completion when--is present (correct behavior — after--, only positional args should be accepted). However, when this check fires, the function returns the unmodified arguments including--generate-bash-completion. The app then runs normally with--generate-bash-completionas a positional argument, executing the action.Changes
help.go—checkShellCompleteFlag--generate-bash-completionfrom arguments when it's detected (regardless of--presence), so it never leaks into the action's positional argumentscompletionDetected boolto indicate whether the completion flag was present(false, true, stripped)when--is present (completion disabled, but flag was detected and stripped)(true, true, stripped)in the normal case (completion enabled, flag stripped)app.go—RunContextnil) whencompletionDetected && !shellComplete— the completion flag was present but shell completion is disabled (due to--). This prevents the action from executing during a completion attempt.help_test.goTest_checkShellCompleteFlagto verify the newcompletionDetectedreturn value["--", "foo", "--generate-bash-completion"]to["--", "foo"]Behavior Change
app --<TAB>--generate-bash-completionas argapp -- foo <TAB>--generate-bash-completionas argapp foo <TAB>app <TAB>