From fc53cbe3a3b7f8c02a9533d4ae4ca5ce40c54d24 Mon Sep 17 00:00:00 2001 From: Oskar Grunning Date: Sun, 3 Aug 2025 21:44:22 +0200 Subject: [PATCH] security: fix shell injection vulnerabilities in file path handling Replace unsafe string.format() calls with vim.fn.shellescape() to prevent command injection when file paths contain special characters. --- lua/fff/file_picker/image.lua | 4 ++-- lua/fff/file_picker/preview.lua | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lua/fff/file_picker/image.lua b/lua/fff/file_picker/image.lua index 8de977cc..be152b54 100644 --- a/lua/fff/file_picker/image.lua +++ b/lua/fff/file_picker/image.lua @@ -158,7 +158,7 @@ end --- @return number|nil, number|nil Width and height in pixels function M.get_image_dimensions(file_path) -- Try file command first - local cmd = string.format('file "%s"', file_path) + local cmd = string.format('file %s', vim.fn.shellescape(file_path)) local result = vim.fn.system(cmd) if vim.v.shell_error == 0 then @@ -167,7 +167,7 @@ function M.get_image_dimensions(file_path) end -- Fallback to identify command (ImageMagick) - cmd = string.format('identify -format "%%w %%h" "%s" 2>/dev/null', file_path) + cmd = string.format('identify -format "%%w %%h" %s 2>/dev/null', vim.fn.shellescape(file_path)) result = vim.fn.system(cmd) if vim.v.shell_error == 0 then diff --git a/lua/fff/file_picker/preview.lua b/lua/fff/file_picker/preview.lua index 47bdc06e..7da1fd41 100644 --- a/lua/fff/file_picker/preview.lua +++ b/lua/fff/file_picker/preview.lua @@ -323,7 +323,7 @@ end --- @return table|nil Lines of content, nil if failed function M.read_file_tail(file_path, tail_lines) -- Use system tail command for efficiency - local cmd = string.format('tail -n %d "%s" 2>/dev/null', tail_lines, file_path) + local cmd = string.format('tail -n %d %s 2>/dev/null', tail_lines, vim.fn.shellescape(file_path)) local result = vim.fn.system(cmd) if vim.v.shell_error ~= 0 then @@ -488,7 +488,7 @@ function M.preview_binary_file(file_path, bufnr, info, file) -- Try to get more information about the binary file if vim.fn.executable('file') == 1 then - local cmd = string.format('file -b "%s"', file_path) + local cmd = string.format('file -b %s', vim.fn.shellescape(file_path)) local result = vim.fn.system(cmd) if vim.v.shell_error == 0 and result then result = result:gsub('\n', '') @@ -502,7 +502,7 @@ function M.preview_binary_file(file_path, bufnr, info, file) table.insert(lines, 'Hex dump (first 1KB):') table.insert(lines, '') - local cmd = string.format('xxd -l 1024 "%s"', file_path) + local cmd = string.format('xxd -l 1024 %s', vim.fn.shellescape(file_path)) local hex_result = vim.fn.system(cmd) if vim.v.shell_error == 0 and hex_result then local hex_lines = vim.split(hex_result, '\n')