git-annex/Utility/SafeOutput.hs

{- Safe output to the terminal of possibly attacker-controlled strings,
 - avoiding displaying control characters.
 -
 - Copyright 2023 Joey Hess <id@joeyh.name>
 -
 - License: BSD-2-clause
 -}

{-# LANGUAGE TypeSynonymInstances, FlexibleInstances #-}
{-# OPTIONS_GHC -fno-warn-tabs #-}

module Utility.SafeOutput (safeOutput) where

import Data.Char
import qualified Data.ByteString as S

class SafeOutputtable t where
	safeOutput :: t -> t

instance SafeOutputtable String where
	safeOutput = filter (not . isControl)

instance SafeOutputtable S.ByteString where
	safeOutput = S.filter (not . isControl . chr . fromIntegral)
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00			`{- Safe output to the terminal of possibly attacker-controlled strings,`
			`- avoiding displaying control characters.`
			`-`
			`- Copyright 2023 Joey Hess <id@joeyh.name>`
			`-`
			`- License: BSD-2-clause`
			`-}`

			`{-# LANGUAGE TypeSynonymInstances, FlexibleInstances #-}`
			`{-# OPTIONS_GHC -fno-warn-tabs #-}`

			`module Utility.SafeOutput (safeOutput) where`

			`import Data.Char`
			`import qualified Data.ByteString as S`

			`class SafeOutputtable t where`
			`safeOutput :: t -> t`

			`instance SafeOutputtable String where`
			`safeOutput = filter (not . isControl)`

			`instance SafeOutputtable S.ByteString where`
			`safeOutput = S.filter (not . isControl . chr . fromIntegral)`