angrygoats
/
zsh-v2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

improve security of zshrc

Taylor Bockman 1 week ago
parent
b380da95c5
commit
38ae613e62
1 changed files with 179 additions and 67 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 242
      zshrc

242
zshrc
Unescape View File

@ -1,108 +1,220 @@
#!/bin/zsh #!/bin/zsh
if [[ "$OSTYPE" == "linux-gnu" ]]; then # -------------------------
symlink_dir=$(cd "$( dirname "`readlink -f ${(%):-%N}`" )" && pwd) # Resolve this config's real directory
# -------------------------
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
symlink_dir="$(cd "$(dirname "$(readlink -f "${(%):-%N}")")" && pwd)"
else else
# OS X is not a fan of `readlink -f` # macOS does not ship GNU readlink -f by default.
symlink_dir=$(cd "$( dirname "`readlink ${(%):-%N}`" )" && pwd) symlink_dir="$(cd "$(dirname "$(readlink "${(%):-%N}")")" && pwd)"
fi fi
# Store private information (exports, keys, etc) in .bash_private. # -------------------------
if [[ -f $HOME/.bash_private ]]; then # Private, machine-local configuration
source $HOME/.bash_private # -------------------------
fi # These files are intentionally not part of this repository.
# Use them for secrets, tokens, private exports, work paths, and host-specific setup.
# Or alternatively .private... [[ -f "$HOME/.bash_private" ]] && source "$HOME/.bash_private"
if [[ -f $HOME/.private ]]; then [[ -f "$HOME/.private" ]] && source "$HOME/.private"
source $HOME/.private [[ -f "$HOME/.zsh_private" ]] && source "$HOME/.zsh_private"
fi
# Or alternatively .zsh_private... # Do not source ~/.inputrc here.
if [[ -f $HOME/.zsh_private ]]; then # It is a readline config file, not shell code.
source $HOME/.zsh_private
fi
if [ -f $HOME/.inputrc ]; then # -------------------------
source $HOME/.inputrc # OS-specific configuration
fi # -------------------------
if [[ "$OSTYPE" == "darwin"* ]]; then if [[ "$OSTYPE" == "darwin"* ]]; then
if [ -f $HOME/.macrc ]; then [[ -f "$HOME/.macrc" ]] && source "$HOME/.macrc"
source $HOME/.macrc
fi
fi fi
# Set up projects and gopath folder properly for the export in the export section. # -------------------------
# Local directories
# -------------------------
if [[ ! -d $HOME/projects ]]; then if [[ ! -d "$HOME/projects" ]]; then
echo "Making $HOME/projects" echo "Making $HOME/projects"
mkdir -p $HOME/projects mkdir -p "$HOME/projects"
fi fi
if [[ -x go ]]; then if command -v go >/dev/null 2>&1; then
echo "Making $HOME/.go" mkdir -p "$HOME/.go"
mkdir -p $HOME/.go
fi fi
# -------------------------
# Git completion
# -------------------------
# Auto-installs Git completion files from a pinned Git commit.
# This avoids fetching from a moving branch like master.
#
# To fill in the placeholders:
#
# cd /tmp
# git clone https://github.com/git/git.git git-src
# cd git-src
# git checkout v2.45.2
# git rev-parse HEAD
# shasum -a 256 contrib/completion/git-completion.bash
# shasum -a 256 contrib/completion/git-completion.zsh
#
# Then paste the commit and hashes below.
ZSH_CACHE_DIR="$HOME/.zsh"
mkdir -p "$ZSH_CACHE_DIR"
GIT_COMPLETION_COMMIT="bea9ecd24b0c3bf06cab4a851694fe09e7e51408"
GIT_COMPLETION_BASH_URL="https://raw.githubusercontent.com/git/git/${GIT_COMPLETION_COMMIT}/contrib/completion/git-completion.bash"
GIT_COMPLETION_ZSH_URL="https://raw.githubusercontent.com/git/git/${GIT_COMPLETION_COMMIT}/contrib/completion/git-completion.zsh"
GIT_COMPLETION_BASH_FILE="$ZSH_CACHE_DIR/git-completion.bash"
GIT_COMPLETION_ZSH_FILE="$ZSH_CACHE_DIR/_git"
GIT_COMPLETION_BASH_SHA256="e667d8fdc0f0071833c94ccb2565a503bf413da0ae28d74efe2e70e2beb1c4c6"
GIT_COMPLETION_ZSH_SHA256="f6075d283250785edcf09281992bde6b4bcc43eb2dca74488d880a52f7659c09"
_zshv2_sha256() {
if command -v sha256sum >/dev/null 2>&1; then
sha256sum "$1" | awk '{print $1}'
elif command -v shasum >/dev/null 2>&1; then
shasum -a 256 "$1" | awk '{print $1}'
else
echo "No SHA-256 tool found. Need sha256sum or shasum." >&2
return 1
fi
}
# Install zsh completion in ~/.zsh if it doesn't exist _zshv2_download_verified() {
if [[ ! -d $HOME/.zsh ]]; then local url="$1"
echo "Installing zsh git completion scripts" local dest="$2"
mkdir -p $HOME/.zsh local expected_sha="$3"
pushd local tmp_file
local actual_sha
cd $HOME/.zsh tmp_file="$(mktemp "${dest}.tmp.XXXXXX")" || return 1
curl -o git-completion.bash https://raw.githubusercontent.com/git/git/master/contrib/completion/git-completion.bash if ! command -v curl >/dev/null 2>&1; then
curl -o _git https://raw.githubusercontent.com/git/git/master/contrib/completion/git-completion.zsh echo "curl is required to install Git completion files." >&2
rm -f "$tmp_file"
return 1
fi
popd if ! curl --fail --location --silent --show-error --output "$tmp_file" "$url"; then
echo "Failed to download $url" >&2
rm -f "$tmp_file"
return 1
fi fi
autoload -U is-at-least actual_sha="$(_zshv2_sha256 "$tmp_file")" || {
rm -f "$tmp_file"
return 1
}
if [[ "$actual_sha" != "$expected_sha" ]]; then
echo "SHA-256 mismatch for $url" >&2
echo "Expected: $expected_sha" >&2
echo "Actual: $actual_sha" >&2
rm -f "$tmp_file"
return 1
fi
mv "$tmp_file" "$dest"
}
_zshv2_file_verified() {
local file="$1"
local expected_sha="$2"
local actual_sha
[[ -f "$file" ]] || return 1
actual_sha="$(_zshv2_sha256 "$file")" || return 1
# Install zsh-syntax-highlighting if it doesn't exist [[ "$actual_sha" == "$expected_sha" ]]
if is-at-least 4.3.11; then }
if [[ ! -d $HOME/.zsh/zsh-syntax-highlighting ]]; then
echo "Installing zsh syntax highlighting"
pushd
cd $HOME/.zsh if [[ "$GIT_COMPLETION_COMMIT" != "PUT_PINNED_GIT_COMMIT_HASH_HERE" ]] &&
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git [[ "$GIT_COMPLETION_BASH_SHA256" != "PUT_SHA256_FOR_GIT_COMPLETION_BASH_HERE" ]] &&
[[ "$GIT_COMPLETION_ZSH_SHA256" != "PUT_SHA256_FOR_GIT_COMPLETION_ZSH_HERE" ]]; then
popd if ! _zshv2_file_verified "$GIT_COMPLETION_BASH_FILE" "$GIT_COMPLETION_BASH_SHA256"; then
_zshv2_download_verified "$GIT_COMPLETION_BASH_URL" "$GIT_COMPLETION_BASH_FILE" "$GIT_COMPLETION_BASH_SHA256"
fi
if ! _zshv2_file_verified "$GIT_COMPLETION_ZSH_FILE" "$GIT_COMPLETION_ZSH_SHA256"; then
_zshv2_download_verified "$GIT_COMPLETION_ZSH_URL" "$GIT_COMPLETION_ZSH_FILE" "$GIT_COMPLETION_ZSH_SHA256"
fi fi
else else
echo "ZSH syntax highlighting requires ZSH >= 4.3.11 (current: $ZSH_VERSION)." echo "Git completion auto-install skipped: pinned commit and SHA-256 values are not configured." >&2
fi
if [[ -f "$GIT_COMPLETION_BASH_FILE" ]]; then
zstyle ':completion:*:*:git:*' script "$GIT_COMPLETION_BASH_FILE"
fi fi
zstyle ':completion:*:*:git:*' script $HOME/.zsh/git-completion.bash fpath=("$ZSH_CACHE_DIR" $fpath)
fpath=(~/.zsh $fpath)
autoload -Uz compinit && compinit autoload -Uz compinit
compinit
# -------------------------
# Pull in modular config
# -------------------------
# Pull in other configurations source "$symlink_dir/aliases.zsh"
source $symlink_dir/aliases.zsh source "$symlink_dir/functions.zsh"
source $symlink_dir/functions.zsh source "$symlink_dir/exports.zsh"
source $symlink_dir/exports.zsh source "$symlink_dir/initializations.zsh"
source $symlink_dir/initializations.zsh source "$symlink_dir/ps1.zsh"
source $symlink_dir/ps1.zsh source "$symlink_dir/keybinds.zsh"
source $symlink_dir/keybinds.zsh
# ZSH syntax highlighting must be sourced last # -------------------------
source $HOME/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh # Language/tool initialization
# -------------------------
# Created by `userpath` on 2022-09-05 23:32:41 # Rust
export PATH="$PATH:$HOME/.local/bin" [[ -f "$HOME/.cargo/env" ]] && source "$HOME/.cargo/env"
# ghcup config - Haskell # Haskell / GHCup
[ -f "/home/taylor/.ghcup/env" ] && source "/home/taylor/.ghcup/env" # ghcup-env [[ -f "$HOME/.ghcup/env" ]] && source "$HOME/.ghcup/env"
# Ocaml # OCaml / opam
test -r $HOME/.opam/opam-init/init.sh && . $HOME/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true [[ -r "$HOME/.opam/opam-init/init.sh" ]] && . "$HOME/.opam/opam-init/init.sh" >/dev/null 2>/dev/null || true
# -------------------------
# ZSH syntax highlighting
# -------------------------
# This still supports an existing local clone under:
#
# $HOME/.zsh/zsh-syntax-highlighting
#
# But it does not automatically clone during shell startup.
# Install with:
#
# brew install zsh-syntax-highlighting
#
# or:
#
# sudo apt install zsh-syntax-highlighting
#
# It must be sourced last.
if [[ -f "$HOME/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ]]; then
source "$HOME/.zsh/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
elif [[ -f "/opt/homebrew/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ]]; then
source "/opt/homebrew/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
elif [[ -f "/usr/local/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ]]; then
source "/usr/local/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
elif [[ -f "/usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" ]]; then
source "/usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
fi
# ------------------------- # -------------------------
# Deduplicate PATH # Deduplicate PATH
# ------------------------- # -------------------------
typeset -U path PATH typeset -U path PATH

Write Preview
Loading…
Cancel
Save