From 0f7b3adfd7dcfeec012fecffb7d011f65370766d Mon Sep 17 00:00:00 2001
From: Dylan Araps <dylan.araps@gmail.com>
Date: Tue, 1 Oct 2019 22:34:34 +0300
Subject: [PATCH] kiss: sanitize user input when needed

---
 kiss | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kiss b/kiss
index 5cd8cb4..c84baac 100755
--- a/kiss
+++ b/kiss
@@ -845,6 +845,17 @@ args() {
     # arguments despite trapping the error ('|| :').
     shift "$(($# > 0 ? 1 : 0))"
 
+    # Unless this is a search, sanitize the user's input. The call to
+    # 'pkg_find()' supports basic globbing, ensure input doesn't expand
+    # to anything except for when this behavior is needed.
+    [ "$action" != search ] && [ "$action" != s ] &&
+        case $* in
+            *[!a-zA-Z0-9_-]*)
+                log kiss "$action $*"
+                die "Arguments contain invalid characters"
+            ;;
+        esac
+
     # Parse some arguments earlier to remove the need to duplicate code.
     case $action in
         c|checksum|s|search)