How to audit a shell-completion script? - eviltoast

I just stumbled upon a collection of bash completions which can be quite handy: https://github.com/perlpunk/shell-completions

I tried mojo, cpan and pip completions in a sandbox and they worked like a charm!

The only question I’ve got is, has anyone ever done a security audit of the repository? Anyone has taken the time to look at the code? I could try auditing but I’m not even sure what to look for.

I feel quite wary of letting an unknown source access to my bash session and what I type.

  • Ordoviz@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    The mojo, cpan and pip bash scripts don’t fail my test of “skimming over the source and looking for dangerous external commands like curl or rm” (good syntax highlighting is helpful here). They look like typical completion scripts. However, if your Linux distribution has a pip completion script in their repos, prefer that one.

    • bahmanm@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thanks. At least I’ve got a few clues to look for when auditing such code.