avoid potential arbitrary code execution from package.sh

[tst2005]

I'm trying to avoid arbitrary code execution from package.sh file.

We can extract the value with restricted pattern.
It avoid any arbitrary code execution.

Allowed variables seems only : BINS, DEPS, BASH_COMPLETIONS, ZSH_COMPLETIONS.
I only see simple static values.
Tested from all known basher repositories.

$ ls -1 packages/ | wc -l
101
$ find packages/ -maxdepth 2 -name 'package.sh' -exec grep -Hn '^[^#]+' {} ;|sort
packages/benv/package.sh:1:BASH_COMPLETIONS=benv.completions
packages/dotenv/package.sh:1:BINS=dotenv
packages/dotenv/package.sh:2:BUILD_DEPS=bashup/mdsh
packages/gitea-cli/package.sh:1:BINS=bin/gitea
packages/git-identity/package.sh:4:BINS='git-identity'
packages/git-identity/package.sh:6:BASH_COMPLETIONS='git-identity.bash-completion'
packages/git-identity/package.sh:8:ZSH_COMPLETIONS='git-identity.zsh-completion'
packages/jqmd/package.sh:1:BINS=bin/jqmd
packages/mdsh/package.sh:1:BINS=bin/mdsh
packages/shelldemo/package.sh:1:BINS="bin/shelldemo"
packages/shelldemo/package.sh:2:DEPS="gitlab.com/shellm/core"
packages/shelldemo/package.sh:3:BASH_COMPLETIONS="cmp/shelldemo.completion.bash"
packages/shelldemo/package.sh:4:ZSH_COMPLETIONS="cmp/shelldemo.completion.zsh"

I don't know if it is the better solution but it is one way to do.

Regards,

[juanibiapina]

Thanks for the contribution! It needs test coverage.

Have you tried doing this with a coding agent?