Problem: tests: no test for using shellescape() in combination with :!
Solution: Add a test that checks runtime files for using wrong
combination of shellescape() with ! ex command
This has lead to a few security relevant issues, so add a test that
checks all runtime files for any ! followed by a shellescape() that does
not use the {special} arg.
related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
[security]: runtime(tar): command injection in tar plugin)
closes: vim/vim#20286
Supported by AI
fccc2adc98
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: shellescape() called without {special} flag for :! ex command
Solution: Pass 1 as second argument to shellescape() in :! contexts
related: Commit: 3fb5e58fbc63d86a3e65f1a141b0d67af2 (patch 9.2.0479:
[security]: runtime(tar): command injection in tar plugin)
129486193c
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Expected text for interactive marks is in a separate json file
from the tutor file. When the tutor file is updated, line numbers
(potentially many) have to be updated in the json file. This is a
burden for maintenance and automatic testing.
Solution: Put the expected text inline in the tutor file, marked
with `[[]]`. Parse and remove the comments before opening the tutor
file so extmarks can be applied.
Problem: runtime(tar): missing path traversal checks in tar#Extract()
Solution: Add check for leading slash, however gnu tar should already
detect this (q1uf3ng)
tar#Extract() did not check for ../ sequences or absolute paths,
unlike zip#Extract() which was patched in recent commits. Add the
same checks: ../ (relative traversal), leading slash (Unix), drive
letter and UNC/leading slash (Windows).
closes: vim/vim#19981490b737f3e
Co-authored-by: q1uf3ng <q1uf3ng@protone.me>
zip#Write(): the Windows path check did not match a single leading
slash (/path), which resolves to the current drive root on Windows.
Simplify the regex to match any leading slash or backslash.
zip#Extract(): add absolute path checks for both Unix and Windows,
matching the existing checks in zip#Write().
closes: vim/vim#19976351a16c88f
Co-authored-by: q1uf3ng <q1uf3ng@protone.me>
Problem:
Neovim's Node.js provider does not support the Bun package manager.
PR #26829 attempted to add this but used a hardcoded path and was abandoned.
Solution:
- Use `bun pm bin -g` to dynamically locate the global binary directory.
- Update `health.lua` to recognize bun installations.
Problem: runtime(tar): but with dotted path
Solution: Do not strip everything after the first dot
(Aaron Burrow)
tar#Extract was getting the extensionless basename by
stripping away everything starting with the leftmost
dot. So if a directory had a dot or the file had an
'extra' dot then the code did the wrong thing. For
example, if it was given:
/tmp/foo.bar/baz.tar.gz
Then it would treat /tmp/foo as the extensionless
basename, but it actually should have grabbed:
/tmp/foo.bar/baz
This patch fixes the issue by instead looking at the
rightmost dot(s).
This bug was discovered by ChatGPT 5.4. I wrote the
patch and tested vim.
closes: vim/vim#199304a1bcc67b4
Co-authored-by: Aaron Burrow <burrows@fastmail.com>
Problem: patch 9.2.0325: runtime(tar): bug in zstd handling
Solution: use correct --zstd argument, separated from other arguments,
rework testing framework (Aaron Burrow).
The tar.vim plugin allows vim to read and manipulate zstd archives,
but it had a bug that caused extraction attempts to fail.
Specifically, if the archive has a .tar.zst or .tzst extension, then
the code was generating invalid extraction commands that looked like
this:
tar --zstdpxf foo.tar.zst foo
When they should be like this:
tar --zstd -pxf foo.tar.zst foo
This patch changes the flag manipulation logic so that --zstd isn't
glued to pxf.
The labor for this change was divided between ChatGPT 5.4 and me.
ChatGPT 5.4 identified the issue (from a code scan?), and I wrote
the patch and tested vim.
related: vim/vim#1993000285c035a
Note: tests need the next patch to pass in Nvim.
Co-authored-by: Aaron Burrow <burrows@fastmail.com>
Problem: runtime(tar): some issues with lz4 support
Solution: Fix bugs (see below) (Aaron Burrow)
The tar plugin allows users to extract files from tar archives that are
compressed with lz4. But, tar#Extract() builds malformed extraction commands
for lz4-compressed tar archives. This commit fixes three issues in that code.
The first affects archives with a .tlz4 extension and the other two affect
archives with .tar.lz4 extension (but one of these is symmetric to the issue
that .tlz4 archives had).
(1) When trying to extract .tlz4 archives the command created by
tar#Extract looked like this:
tar -I lz4pxf foo.tlz4 foo
This isn't right. It should be something like this:
tar -I lz4 -pxf foo.tlz4 foo
This was happening because tar.plugin is just substituting on the
first - in "tar -pxf". This works fine if we just add a simple flag for
extraction (eg, z for .tgz), but for lz4 we need to add "-I lz4".
I don't believe that there is an obvious good way to fix this without
reworking the way the command is generated. Probably we should collect
the command and flags separately and the flags should be stored in a
set. Then put everything together into a string just before issuing it
as an extraction command. Unfortunately, this might break things for users
because they have access to tar_extractcmd.
This patch just makes the substitution a little bit more clever so that it
does the right thing when substituting on a string like "tar -pxf".
(2) .tar.lz4 extractions had the same issue, which my patch fixes in
the same way.
(3) .tar.lz4 extractions had another issue. There was a space missing
in the command generated by tar#Extract. This meant that commands
looked like this (notice the lack of space between the archive and output
file names):
tar -I lz4pxf foo.tar.lz4foo
This patch just puts a space where it should be.
Finally, I should note that ChatGPT 5.4 initially identified this issue
in the code and generated the test cases. I reviewed the test cases,
wrote the patch, and actually ran vim against the tests (both with and
without the patch).
closes: vim/vim#1992578954f86c2
Co-authored-by: Aaron Burrow <burrows@fastmail.com>
Problem: runtime(zip): may write using absolute paths
(syndicate)
Solution: Detect this case and abort on Unix, warn in the documentation
about possible issues
46f530e517
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem:
`:Tutor` should open a copy of the tutor file instead of the original. This is
because edits modify the original file buffer, and crashes or other misuse could
potentially corrupt the original file even if it's WO.
Solution:
Copy the tutor file to a temp path before opening. Store the original path in
`b:tutor_file` so metadata json loading still works.
- `tutor#TutorCmd` will now copy the tutor file to a temp path via `tempname()`
before opening with `drop`. Store the original path in `b:tutor_file` only
after the buffer is created.
- `tutor#LoadMetadata` now uses `b:tutor_file` to resolve the JSON path instead
of `expand('%')`, which now points to the temp copy buffer
- `ftplugin/tutor.vim` does not make the `tutor#LoadMetadata` call anymore. It
was guarded by `filereadable(expand('%').'.json')` which fails for the new
temp copy path logic . Instead, `tutor#LoadMetadata` is already called
directly inside `tutor#TutorCmd` since we are already assumed to enable
interactive.
Co-authored-by: Phạm Bình An <111893501+brianhuster@users.noreply.github.com>
- ':!' is not stable, so use system() to get more consistent behaviour.
- Only warns when using 'pwsh'.
- Remove trailing spaces.
closes: vim/vim#19370abac1c1aa6
Co-authored-by: Mao-Yining <mao.yining@outlook.com>
Co-Authored-by: @lxhillwind
Problem: search() is used to check for the message from tar that
indicates leading slashes found in the tar archive, or to
check for the leading slashes themselves. However, if
'nowrapscan' is in effect these searches are limited to the
last line and don't find any results. This causes the warning
message from tar to be seen in the buffer, the "Path Traversal
Attack Detected" message to be omitted, and editing actions
can fail. This can be seen, for example, when editing
src/testdir/samples/evil.tar.
Solution: Use the 'w' flag for search() (Kevin Goodsell)
closes: vim/vim#1933318d844e365
Co-authored-by: Kevin Goodsell <kevin-opensource@omegacrash.net>
This reverts commits:
- 6b652a785033fd4164e049492a7327c1ed7c3e5f
- 2f689d5abde0ccddca9e20d8c93a0299bd054e32
- a025a46d4169587145fb54f04af349cd05cb6122
Several email addresses that are known to be valid caused bounces
due to an issue with my email setup. The previous commits incorrectly
marked these addresses as invalid. So revert the whole thing again.
62d8f3dab5
N/A patch:
vim-patch:2f689d5: runtime: mark more invalid email addresses
Co-authored-by: Christian Brabandt <cb@256bit.org>
This reverts 2495e7e. That past change meant that we would modify the
buffer contents of a tmux session if it exists, even if the current Nvim
process wasn't running inside of it. Depending on the tmux
configuration, this could even affect the clipboard of an actually
attached tmux client, since tmux itself uses OSC 52 to forward buffer
writes to attached clients.
While autodetection is usually a trade-off and can rarely make everybody
happy, this behavior goes counter the principle of least surprise. If
really desired, it can be brought back by explicit configuration.
Problem:
Spell file downloads relied on Vimscript and netrw (:Nread). If netrw is
disabled, downloads fail.
Solution:
Port the logic to Lua as `nvim.spellfile` and wire it via a Lua plugin that
handles `SpellFileMissing`. Use `vim.net.request()` with a timeout for HTTP,
prompt via `vim.fn.input` and report via `vim.notify`.
Closes#7189
Add complete_check() to ccomplete completion script to avoid UI hangs
and keep Vim responsive as ccomplete can be slow on huge files.
closes: vim/vim#178263add0d5e75
vim-patch:44309b9: runtime(ccomplete): return partial results on complete_check()
closes: vim/vim#1783844309b9d08
Co-authored-by: Maxim Kim <habamax@gmail.com>
Problem:
From https://matrix.to/#/!cylwlNXSwagQmZSkzs:matrix.org/$Ofj-TFIsEMbp0O9OhE8xuZSNi-nhRLtZTOgs6JRLNrs?via=matrix.org&via=gitter.im&via=mozilla.org
In lesson 2.6, users are asked to remove the second, forth and fifth
lines with `dd` command, then they are asked to undo twice to make the
text go back to original state. But after that, the mark ✗ appears
again, which confuses the user because they think they do something
wrong. This is a limitation with the current implementation, which is
based on line number only.
Solution:
Reimplement interactive marks as extmarks in Lua. This also make the
feature less fragile, as users can remove, add some arbitrary lines
without breaking the interactive marks.
Co-authored-by: Justin M. Keyes <justinkz@gmail.com>
Problem: [security]: path traversal issue in tar.vim
(@ax)
Solution: warn the user for such things, drop leading /, don't
forcefully overwrite files when writing temporary files,
refactor autoload/tar.vim
tar.vim: drop leading / in path names
A tar archive containing files with leading `/` may cause confusions as
to where the content is extracted. Let's make sure we drop the leading
`/` and use a relative path instead.
Also while at it, had to refactor it quite a bit and increase the
minimum supported Vim version to v9. Also add a test for some basic tar
functionality
closes: vim/vim#1773387757c6b0a
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: path traversal issue in zip.vim (@ax)
Solution: drop leading ../ on write of zipfiles, don't forcefully
overwrite existing files
A zip plugin which contains filenames with leading '../' may cause
confusion as to where the content will be extracted. Let's drop such
things and make sure we use a relative filename instead and don't
forcefully overwrite temporary files. Also, warn the user of such
things.
related: vim/vim#17733586294a041
vim-patch:e1044fb: runtime(zip): raise minimum Vim version to v9.0
vim-patch:e2d9b0d: runtime(zip): zip plugin does not work with Vim 9.0
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problems:
- Unlike in Vim, Neovim does not report pack/*/start/* in the resolved value of 'rtp' (see `:help packages-runtimepath`)
- This means that the tutor plugin cannot find the tutors in pack/*/start/*
Solution:
- Use nvim_list_runtime_paths() instead of &rtp
Problem:
With these settings, copy/pasting `blockwise-visual` (with `CTRL+V`)
incorrectly pastes as a `linewise` mode because `regtype` is ignored:
vim.opt.clipboard = 'unnamedplus'
vim.g.clipboard = 'osc52'
To reproduce: press `CTRL+V` and select some characters press `p` and
observe that it is pasted in `linewise` mode.
Solution:
Enable the [clipboard.vim](https://github.com/neovim/neovim/blob/master/runtime/autoload/provider/clipboard.vim#L281-L283))
cache for function providers, so that `regtype` is maintained for the OSC52
clipboard provider.
