fix: only allow downloading from HTTP(s) protocols

2025-04-22 09:23:42 -04:00 · 2025-01-09 16:40:25 -03:00 · 2025-01-09 16:40:25 -03:00 · 3c64490145
commit 3c64490145
parent 5afc4bf841
2 changed files with 10 additions and 3 deletions
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -53,24 +53,30 @@ check_path() {
    return 0
 }

+fetch() {
+    curl -fL \
+        --proto =http,https \
+        "$@"
+}
+
 download() {
    debug "downloading $1 to $2"
    exitcode=0
    statuscode=0

-    curl_params="-fL $1 -o $2 --write-out %{http_code}"
+    curl_params="$1 -o $2 --write-out %{http_code}"

    # shellcheck disable=SC2086 # Intentional
    if [ $_HAS_TTY = 1 ]; then
        # TTY present: Enable curl's progress bar, clear it if operation successful
        tput sc 2>/dev/null || true # Save cursor pos

-        statuscode=$(curl -# $curl_params </dev/tty 3>&1) || exitcode=$?
+        statuscode=$(fetch -# $curl_params </dev/tty 3>&1) || exitcode=$?
        if [ $exitcode = 0 ]; then
            (tput rc; tput ed) 2>/dev/null || true # Reset cursor pos; Clear to end
        fi
    else
-        statuscode=$(curl $curl_params) || exitcode=$?
+        statuscode=$(fetch $curl_params) || exitcode=$?
    fi

    if [ "$statuscode" = "404" ]; then
--- a/scripts/_sources/_zip.sh
+++ b/scripts/_sources/_zip.sh
@ -2,6 +2,7 @@

 _download_type_zip() {
    read_args url skip_404 extract
+    require_args extract

    zip_path="$(mktemp --suffix=.zip)"