Skip to content

Fix shell script security vulnerabilities, reliability issues, and enhance CLI experience#2

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/code-review-and-improvements
Draft

Fix shell script security vulnerabilities, reliability issues, and enhance CLI experience#2
Copilot wants to merge 4 commits intomainfrom
copilot/code-review-and-improvements

Conversation

Copy link

Copilot AI commented Jan 31, 2026
edited
Loading

Comprehensive security and quality improvements across all shell scripts in the dotfiles repository, plus major CLI experience enhancements.

Security Fixes

Command Injection - Unquoted variables in git config allowed arbitrary command execution:

# Before: vulnerable to injection if username contains semicolons
git config --global user.name $USERNAME

# After: properly quoted
git config --global user.name "$USERNAME"

Word Splitting - Unquoted variable expansions throughout ($HOME, $PWD, $ZSH_CUSTOM, etc.) could cause failures with paths containing spaces or special characters. All variable expansions now quoted.

Format String Vulnerabilities - Printf calls in prompt_for_multiselect.sh used variables directly in format strings. Now use proper format specifiers.

Reliability Improvements

Directory Traversal - Font installation cd commands left script in wrong directory on failure. Now isolated in subshells:

(cd "${HOME}/Library/Fonts" && curl -fLo "..." https://...)

Git Clone Idempotency - ZSH plugin installations failed on re-runs. Added existence checks before cloning.

ASDF Plugin Installation - Added || true to plugin-add commands for idempotent execution.

Error Handling - Added error checking for Oh My Zsh installation, Nerd Font downloads, and other critical operations with proper status reporting.

Code Quality

  • Replaced deprecated expr substr $(uname) with [[ "$(uname)" == Linux* ]]
  • Replaced backticks with $() notation
  • Added -r flag to read commands to prevent backslash interpretation
  • Changed let to (( )) arithmetic syntax
  • Added shebangs to sourced scripts
  • Fixed git-prune-branches to handle branch names with spaces using while read instead of for loop with command substitution

CLI Experience Enhancements

Visual Improvements:

  • Added color support with automatic TTY detection (colors disabled in non-TTY environments)
  • Unicode symbols for visual feedback: ✓ (success), ✗ (error), ⚠ (warning), ℹ (info), ► (steps), ▸ (sections)
  • Styled headers with box drawing characters
  • Welcome banner with ASCII art
  • Progress indicators showing step counts (e.g., "Step 2/5")

New Features:

  • --help / -h flag: Display comprehensive usage information
  • --yes / -y flag: Non-interactive mode with default selections
  • Helper functions for consistent messaging: print_header(), print_step(), print_success(), print_error(), print_warning(), print_info(), print_section()

Installation Summary:

  • Categorized status report at completion showing:
    • Successfully installed components (green checkmarks)
    • Skipped components already present (yellow indicators)
    • Failed installations (red X marks)
  • "Next steps" guidance after successful installation

Stats: 6 files modified, +390/-160 lines

Original prompt

This section details on the original issue you should resolve

<issue_title>Code review</issue_title>
<issue_description>Review all the code and generate a report
Implement improvements</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@noofreuuuh
Fix shell script security and quality issues
9079b64 
- Add proper quoting for all variables to prevent word splitting
- Fix command injection vulnerability in git config
- Add error handling for git clone operations
- Fix directory changes with subshells
- Add -r flag to read commands to prevent backslash interpretation
- Replace deprecated expr substr with bash parameter expansion
- Fix ASDF plugin installation with || true for idempotency
- Add shebangs to all shell scripts
- Fix PATH concatenation in zlogin
- Improve git-prune-branches function with proper quoting
- Replace backticks with $() notation
- Fix printf format string security issues

Co-authored-by: noofreuuuh <1218742+noofreuuuh@users.noreply.github.com>
Copilot AI changed the title [WIP] Review code and implement improvements Fix shell script security vulnerabilities and reliability issues Jan 31, 2026
Copilot AI requested a review from noofreuuuh January 31, 2026 01:14
@noofreuuuh
Copy link
Member

noofreuuuh commented Jan 31, 2026

@copilot Improve the cli experience

@noofreuuuh
Enhance CLI experience with colors, better formatting, and progress t…
ca8a406 
…racking

- Add color support with automatic TTY detection
- Create helper functions for consistent messaging (success, error, warning, info)
- Add welcome banner with ASCII art
- Implement command-line argument parsing (--help, --yes)
- Add comprehensive help/usage information
- Improve visual hierarchy with styled headers and sections
- Add progress tracking with step indicators
- Implement installation summary at the end showing:
  * Successfully installed components
  * Skipped components (already installed)
  * Failed components (with error status)
- Add "Next steps" guidance after installation
- Use Unicode symbols (✓, ✗, ⚠, ℹ, ►) for better visual feedback
- Track installation status for all components
- Add non-interactive mode support with -y flag

Co-authored-by: noofreuuuh <1218742+noofreuuuh@users.noreply.github.com>
Copy link
Author

Copilot AI commented Jan 31, 2026

@copilot Improve the cli experience

Enhanced the CLI experience with the following improvements (commit ca8a406):

Visual Enhancements:

  • Added color support (green for success, red for errors, yellow for warnings, blue for info)
  • Created styled headers with box drawing characters and Unicode symbols (✓ ✗ ⚠ ℹ ►)
  • Added welcome banner with ASCII art

Functionality:

  • Implemented --help flag to display usage information
  • Added --yes flag for non-interactive installation with defaults
  • Created helper functions for consistent messaging across all installation steps

Progress Tracking:

  • Step indicators showing current progress (e.g., "Step 2/5")
  • Installation summary at the end categorizing components as:
    • Successfully installed (green checkmarks)
    • Skipped/already installed (yellow indicators)
    • Failed (red X marks with exit code)

User Guidance:

  • "Next steps" section after successful installation
  • Clear instructions for post-installation configuration

The script now provides a much more professional and user-friendly installation experience.

@noofreuuuh
Improve error handling and color output in prompts
a8a22da 
- Use printf instead of echo -e in read prompts for reliable color codes
- Add error checking for Oh My Zsh installation
- Add error checking for Nerd Font downloads
- Report warnings when installations encounter issues

Co-authored-by: noofreuuuh <1218742+noofreuuuh@users.noreply.github.com>
Copilot AI changed the title Fix shell script security vulnerabilities and reliability issues Fix shell script security vulnerabilities, reliability issues, and enhance CLI experience Jan 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noofreuuuh noofreuuuh Awaiting requested review from noofreuuuh

Assignees

@noofreuuuh noofreuuuh

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Code review

2 participants

@noofreuuuh

Comments