fix: Ban ls command (#1141)

* Ban `ls` command * Update banned commands test so it only checks bash and sh files * Only allow `ls` for resolving symlinks * Replace `ls` commands with `find`
asdf-vm · Dec 29, 2021 · 87137e4 · 87137e4
1 parent e61e3d9
commit 87137e4
Show file tree

Hide file tree

Showing 8 changed files with 17 additions and 9 deletions.
diff --git a/lib/commands/command-install.bash b/lib/commands/command-install.bash
@@ -78,7 +78,7 @@ install_local_tool_versions() {
 
   # Locate all the plugins installed in the system
   local plugins_installed
-  if ls "$plugins_path" &>/dev/null; then
+  if find "$plugins_path" -mindepth 1 -type d &>/dev/null; then
     for plugin_path in "$plugins_path"/*; do
       local plugin_name
       plugin_name=$(basename "$plugin_path")

diff --git a/lib/commands/command-latest.bash b/lib/commands/command-latest.bash
@@ -43,7 +43,7 @@ latest_all() {
   local plugins_path
   plugins_path=$(get_plugin_path)
 
-  if ls "$plugins_path" &>/dev/null; then
+  if find "$plugins_path" -mindepth 1 -type d &>/dev/null; then
     for plugin_path in "$plugins_path"/*; do
       plugin_name=$(basename "$plugin_path")
 

diff --git a/lib/commands/command-list.bash b/lib/commands/command-list.bash
@@ -8,7 +8,7 @@ list_command() {
     local plugins_path
     plugins_path=$(get_plugin_path)
 
-    if ls "$plugins_path" &>/dev/null; then
+    if find "$plugins_path" -mindepth 1 -type d &>/dev/null; then
       for plugin_path in "$plugins_path"/*; do
         plugin_name=$(basename "$plugin_path")
         printf "%s\\n" "$plugin_name"

diff --git a/lib/commands/command-plugin-list-all.bash b/lib/commands/command-plugin-list-all.bash
@@ -9,7 +9,7 @@ plugin_list_all_command() {
   local plugins_local_path
   plugins_local_path="$(get_plugin_path)"
 
-  if ls "$plugins_index_path" &>/dev/null; then
+  if find "$plugins_index_path" -mindepth 1 -type d &>/dev/null; then
     (
       for index_plugin in "$plugins_index_path"/*; do
         index_plugin_name=$(basename "$index_plugin")

diff --git a/lib/commands/command-plugin-list.bash b/lib/commands/command-plugin-list.bash
@@ -23,7 +23,7 @@ plugin_list_command() {
     esac
   done
 
-  if ls "$plugins_path" &>/dev/null; then
+  if find "$plugins_path" -mindepth 1 -type d &>/dev/null; then
     (
       for plugin_path in "$plugins_path"/*; do
         plugin_name=$(basename "$plugin_path")

diff --git a/lib/commands/command-reshim.bash b/lib/commands/command-reshim.bash
@@ -11,7 +11,7 @@ reshim_command() {
     local plugins_path
     plugins_path=$(get_plugin_path)
 
-    if ls "$plugins_path" &>/dev/null; then
+    if find "$plugins_path" -mindepth 1 -type d &>/dev/null; then
       for plugin_path in "$plugins_path"/*; do
         plugin_name=$(basename "$plugin_path")
         reshim_command "$plugin_name"

diff --git a/lib/utils.bash b/lib/utils.bash
@@ -454,7 +454,7 @@ resolve_symlink() {
   # This seems to be the only cross-platform way to resolve symlink paths to
   # the real file path.
   # shellcheck disable=SC2012
-  resolved_path=$(ls -l "$symlink" | sed -e 's|.*-> \(.*\)|\1|')
+  resolved_path=$(ls -l "$symlink" | sed -e 's|.*-> \(.*\)|\1|') # asdf_allow: ls '
 
   # Check if resolved path is relative or not by looking at the first character.
   # If it is a slash we can assume it's root and absolute. Otherwise we treat it

diff --git a/test/banned_commands.bats b/test/banned_commands.bats
@@ -33,6 +33,14 @@ banned_commands_regex=(
     # sort --sort-version isn't supported everywhere
     "sort.*-V"
     "sort.*--sort-versions"
+
+    # ls often gets used when we want to glob for files that match a pattern
+    # or when we want to find all files/directories that match a pattern or are
+    # found in a certain location. Using shell globs is preferred over ls, and
+    # find is better at locating files that are in a certain location or that
+    # match certain filename patterns.
+    # https://github-wiki-see.page/m/koalaman/shellcheck/wiki/SC2012
+    '\bls '
 )
 
 setup() {
@@ -50,7 +58,7 @@ teardown() {
   # followed by an underscore (indicating it's a variable and not a
   # command).
   for cmd in "${banned_commands[@]}"; do
-      run bash -c "grep -nHR '$cmd' asdf.* lib bin\
+      run bash -c "grep -nHR --include \*.bash --include \*.sh '$cmd' asdf.* lib bin\
         | grep -v '#.*$cmd'\
         | grep -v '\".*$cmd.*\"' \
         | grep -v '${cmd}_'\
@@ -67,7 +75,7 @@ teardown() {
   done
 
   for cmd in "${banned_commands_regex[@]}"; do
-      run bash -c "grep -nHRE '$cmd' asdf.* lib bin\
+      run bash -c "grep -nHRE --include \*.bash --include \*.sh '$cmd' asdf.* lib bin\
         | grep -v '#.*$cmd'\
         | grep -v '\".*$cmd.*\"' \
         | grep -v '${cmd}_'\