From ee4ba104e722960376988e4e6971b5c5c271c643 Mon Sep 17 00:00:00 2001
From: Junegunn Choi <junegunn.c@gmail.com>
Date: Mon, 2 Oct 2023 20:40:49 +0900
Subject: [PATCH] [completion] Prevent running a command during 'eval'

Do not attempt to provide fuzzy completion if the prefix contains a
pattern that may start an arbitraty command.

* $(...)
* `...`
* <(...)

Close #3459
---
 shell/completion.bash | 4 ++--
 shell/completion.zsh  | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/shell/completion.bash b/shell/completion.bash
index a34e327f..360a646e 100644
--- a/shell/completion.bash
+++ b/shell/completion.bash
@@ -170,7 +170,7 @@ __fzf_generic_path_completion() {
   COMPREPLY=()
   trigger=${FZF_COMPLETION_TRIGGER-'**'}
   cur="${COMP_WORDS[COMP_CWORD]}"
-  if [[ "$cur" == *"$trigger" ]]; then
+  if [[ "$cur" == *"$trigger" ]] && [[ $cur != *'$('* ]] && [[ $cur != *'<('* ]] && [[ $cur != *'`'* ]]; then
     base=${cur:0:${#cur}-${#trigger}}
     eval "base=$base"
 
@@ -235,7 +235,7 @@ _fzf_complete() {
   cmd="${COMP_WORDS[0]//[^A-Za-z0-9_=]/_}"
   trigger=${FZF_COMPLETION_TRIGGER-'**'}
   cur="${COMP_WORDS[COMP_CWORD]}"
-  if [[ "$cur" == *"$trigger" ]]; then
+  if [[ "$cur" == *"$trigger" ]] && [[ $cur != *'$('* ]] && [[ $cur != *'<('* ]] && [[ $cur != *'`'* ]]; then
     cur=${cur:0:${#cur}-${#trigger}}
 
     selected=$(FZF_DEFAULT_OPTS="--height ${FZF_TMUX_HEIGHT:-40%} --reverse --bind=ctrl-z:ignore ${FZF_DEFAULT_OPTS-} ${FZF_COMPLETION_OPTS-} $str_arg" __fzf_comprun "${rest[0]}" "${args[@]}" -q "$cur" | $post | tr '\n' ' ')
diff --git a/shell/completion.zsh b/shell/completion.zsh
index ec2dfdef..fe62b9a8 100644
--- a/shell/completion.zsh
+++ b/shell/completion.zsh
@@ -137,6 +137,9 @@ __fzf_generic_path_completion() {
   tail=$6
 
   setopt localoptions nonomatch
+  if [[ $base = *'$('* ]] || [[ $base = *'<('* ]] || [[ $base = *'`'* ]]; then
+    return
+  fi
   eval "base=$base"
   [[ $base = *"/"* ]] && dir="$base"
   while [ 1 ]; do
@@ -304,6 +307,9 @@ fzf-completion() {
     d_cmds=(${=FZF_COMPLETION_DIR_COMMANDS:-cd pushd rmdir})
 
     [ -z "$trigger"      ] && prefix=${tokens[-1]} || prefix=${tokens[-1]:0:-${#trigger}}
+    if [[ $prefix = *'$('* ]] || [[ $prefix = *'<('* ]] || [[ $prefix = *'`'* ]]; then
+      return
+    fi
     [ -n "${tokens[-1]}" ] && lbuf=${lbuf:0:-${#tokens[-1]}}
 
     if eval "type _fzf_complete_${cmd} > /dev/null"; then