git-annex/Utility/SafeOutput.hs

{- Safe output to the terminal of possibly attacker-controlled strings,
 - avoiding displaying control characters.
 -
 - Copyright 2023 Joey Hess <id@joeyh.name>
 -
 - License: BSD-2-clause
 -}

{-# LANGUAGE TypeSynonymInstances, FlexibleInstances, CPP #-}
{-# OPTIONS_GHC -fno-warn-tabs #-}

module Utility.SafeOutput (
	safeOutput,
	IsTerminal(..),
	checkIsTerminal,
) where

import Data.Char
import qualified Data.ByteString as S
import System.IO
#ifdef mingw32_HOST_OS
import System.Win32.MinTTY (isMinTTYHandle)
import System.Win32.File
import System.Win32.Types
import Graphics.Win32.Misc
import Control.Exception
#endif

class SafeOutputtable t where
	safeOutput :: t -> t

instance SafeOutputtable String where
	safeOutput = filter (not . isControl)

instance SafeOutputtable S.ByteString where
	safeOutput = S.filter (not . isControl . chr . fromIntegral)

newtype IsTerminal = IsTerminal Bool

checkIsTerminal :: Handle -> IO IsTerminal
checkIsTerminal h = do
#ifndef mingw32_HOST_OS
	b <- hIsTerminalDevice h
	return (IsTerminal b)
#else
	b <- hIsTerminalDevice h
	if b
		then return (IsTerminal b)
		else do
			h' <- getStdHandle sTD_OUTPUT_HANDLE
				`catch` \(_ :: IOError) ->
					return nullHANDLE
			if h == nullHANDLE
				then return (IsTerminal False)
				else do
					b' <- isMinTTYHandle h'
					return (IsTerminal b)
#endif
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00			`{- Safe output to the terminal of possibly attacker-controlled strings,`
			`- avoiding displaying control characters.`
			`-`
			`- Copyright 2023 Joey Hess <id@joeyh.name>`
			`-`
			`- License: BSD-2-clause`
			`-}`

find, findkeys, examinekey: escape output to terminal when --format is not used Note that filenames are not quoted, only escaped. This is to match the output of --format with escaping. Sponsored-by: Lawrence Brogan on Patreon 2023-04-11 18:57:09 +00:00			`{-# LANGUAGE TypeSynonymInstances, FlexibleInstances, CPP #-}`
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00			`{-# OPTIONS_GHC -fno-warn-tabs #-}`

find, findkeys, examinekey: escape output to terminal when --format is not used Note that filenames are not quoted, only escaped. This is to match the output of --format with escaping. Sponsored-by: Lawrence Brogan on Patreon 2023-04-11 18:57:09 +00:00			`module Utility.SafeOutput (`
			`safeOutput,`
			`IsTerminal(..),`
			`checkIsTerminal,`
			`) where`
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00
			`import Data.Char`
			`import qualified Data.ByteString as S`
find, findkeys, examinekey: escape output to terminal when --format is not used Note that filenames are not quoted, only escaped. This is to match the output of --format with escaping. Sponsored-by: Lawrence Brogan on Patreon 2023-04-11 18:57:09 +00:00			`import System.IO`
			`#ifdef mingw32_HOST_OS`
			`import System.Win32.MinTTY (isMinTTYHandle)`
			`import System.Win32.File`
			`import System.Win32.Types`
			`import Graphics.Win32.Misc`
			`import Control.Exception`
			`#endif`
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00
			`class SafeOutputtable t where`
			`safeOutput :: t -> t`

			`instance SafeOutputtable String where`
			`safeOutput = filter (not . isControl)`

			`instance SafeOutputtable S.ByteString where`
			`safeOutput = S.filter (not . isControl . chr . fromIntegral)`
find, findkeys, examinekey: escape output to terminal when --format is not used Note that filenames are not quoted, only escaped. This is to match the output of --format with escaping. Sponsored-by: Lawrence Brogan on Patreon 2023-04-11 18:57:09 +00:00
			`newtype IsTerminal = IsTerminal Bool`

			`checkIsTerminal :: Handle -> IO IsTerminal`
			`checkIsTerminal h = do`
			`#ifndef mingw32_HOST_OS`
			`b <- hIsTerminalDevice h`
			`return (IsTerminal b)`
			`#else`
			`b <- hIsTerminalDevice h`
			`if b`
			`then return (IsTerminal b)`
			`else do`
			`h' <- getStdHandle sTD_OUTPUT_HANDLE`
			`catch` \(_ :: IOError) ->
			`return nullHANDLE`
			`if h == nullHANDLE`
			`then return (IsTerminal False)`
			`else do`
			`b' <- isMinTTYHandle h'`
			`return (IsTerminal b)`
			`#endif`