No description
Find a file
Ian Manske f3cf693ec7
Disallow more characters in arguments for internal cmd commands (#13009)
# Description
Makes `run-external` error if arguments to `cmd.exe` internal commands
contain newlines or a percent sign. This is because the percent sign can
expand environment variables, potentially? allowing command injection.
Newlines I think will truncate the rest of the arguments and should
probably be disallowed to be safe.

# After Submitting
- If the user calls `cmd.exe` directly, then this bypasses our
handling/checking for internal `cmd` commands. Instead, we use the
handling from the Rust std lib which, in this case, does not do special
handling and is potentially unsafe. Then again, it could be the user's
specific intention to run `cmd` with whatever trusted input. The problem
is that since we use the std lib handling, it assumes the exe uses the C
runtime escaping rules and will perform some unwanted escaping. E.g., it
will add backslashes to the quotes in `cmd echo /c '""'`.
- If `cmd` is called indirectly via a `.bat` or `.cmd` file, then we use
the Rust std lib which has separate handling for bat files that should
be safe, but will reject some inputs.
- ~~I'm not sure how we handle `PATHEXT`, that can also cause a file
without an extension to be run as a bat file. If so, I don't know where
the handling, if any, is done for that.~~ It looks like we use the
`which` crate to do the lookup using `PATHEXT`. Then, we pass the exe
path from that to the Rust std lib `Command`, which should be safe
(except for the first `cmd.exe` note).

So, in the future we need to unify and/or fix these different
implementations, including our own special handling for internal `cmd`
commands that this PR tries to fix.
2024-05-30 19:24:48 +00:00
.cargo optimize aarch64 when able (#10433) 2023-09-21 03:57:07 +12:00
.githooks Add git hooks for formatting and running clippy (#8820) 2023-04-13 07:34:23 -05:00
.github Bump actions/checkout from 4.1.5 to 4.1.6 (#12934) 2024-05-22 11:22:02 +08:00
assets REFACTOR: clean the root of the repo (#9231) 2023-05-20 07:57:51 -05:00
benches Refactor the CLI code a bit (#12782) 2024-05-10 07:29:27 +08:00
crates Disallow more characters in arguments for internal cmd commands (#13009) 2024-05-30 19:24:48 +00:00
devdocs Remove dataframes crate and feature (#12889) 2024-05-20 17:22:08 +00:00
docker Fix alpine docker file (#10992) 2023-11-08 06:30:34 -06:00
scripts Remove dataframes crate and feature (#12889) 2024-05-20 17:22:08 +00:00
src Revert "Remove std::env::set_current_dir() call from EngineState::merge_env()" (#12954) 2024-05-24 11:09:59 -05:00
tests fix do closure with both required, options, and rest args (#13002) 2024-05-30 08:29:46 -05:00
wix change wix install method from perMachine to perUser (#12720) 2024-05-01 17:31:16 -05:00
.gitattributes Add Nushell Language detect for linguist (#9491) 2023-06-21 15:30:10 +08:00
.gitignore Add custom datetime format through strftime strings (#9500) 2023-06-23 15:05:04 -05:00
Cargo.lock Bump version to 0.94.1 (#12988) 2024-05-28 22:41:23 +00:00
Cargo.toml Bump version to 0.94.1 (#12988) 2024-05-28 22:41:23 +00:00
CODE_OF_CONDUCT.md First pass at updating all documentation formatting and cleaning up output of examples (#2031) 2020-06-24 06:21:47 +12:00
CONTRIBUTING.md Remove dataframes crate and feature (#12889) 2024-05-20 17:22:08 +00:00
Cross.toml Fix cross-compiling with cross-rs (#9972) 2023-08-09 22:08:35 -07:00
LICENSE Update LICENSE 2023-04-03 08:23:19 +12:00
README.md Update contributor image generation with new upper bound (#12198) 2024-03-13 19:42:47 +01:00
rust-toolchain.toml Bump our Rust version to stable (#12471) 2024-04-10 23:41:38 +02:00
toolkit.nu Remove dataframes crate and feature (#12889) 2024-05-20 17:22:08 +00:00
typos.toml Minimize future false positive typos (#12751) 2024-05-04 15:00:44 +00:00

Nushell

Crates.io Build Status Nightly Build Discord The Changelog #363 @nu_shell GitHub commit activity GitHub contributors

A new type of shell.

Example of nushell

Table of Contents

Status

This project has reached a minimum-viable-product level of quality. Many people use it as their daily driver, but it may be unstable for some commands. Nu's design is subject to change as it matures.

Learning About Nu

The Nushell book is the primary source of Nushell documentation. You can find a full list of Nu commands in the book, and we have many examples of using Nu in our cookbook.

We're also active on Discord and Twitter; come and chat with us!

Installation

To quickly install Nu:

# Linux and macOS
brew install nushell
# Windows
winget install nushell

To use Nu in GitHub Action, check setup-nu for more detail.

Detailed installation instructions can be found in the installation chapter of the book. Nu is available via many package managers:

Packaging status

For details about which platforms the Nushell team actively supports, see our platform support policy.

Configuration

The default configurations can be found at sample_config which are the configuration files one gets when they startup Nushell for the first time.

It sets all of the default configuration to run Nushell. From here one can then customize this file for their specific needs.

To see where config.nu is located on your system simply type this command.

$nu.config-path

Please see our book for all of the Nushell documentation.

Philosophy

Nu draws inspiration from projects like PowerShell, functional programming languages, and modern CLI tools. Rather than thinking of files and data as raw streams of text, Nu looks at each input as something with structure. For example, when you list the contents of a directory what you get back is a table of rows, where each row represents an item in that directory. These values can be piped through a series of steps, in a series of commands called a 'pipeline'.

Pipelines

In Unix, it's common to pipe between commands to split up a sophisticated command over multiple steps. Nu takes this a step further and builds heavily on the idea of pipelines. As in the Unix philosophy, Nu allows commands to output to stdout and read from stdin. Additionally, commands can output structured data (you can think of this as a third kind of stream). Commands that work in the pipeline fit into one of three categories:

  • Commands that produce a stream (e.g., ls)
  • Commands that filter a stream (e.g., where type == "dir")
  • Commands that consume the output of the pipeline (e.g., table)

Commands are separated by the pipe symbol (|) to denote a pipeline flowing left to right.

> ls | where type == "dir" | table
╭────┬──────────┬──────┬─────────┬───────────────╮
│ #  │   name   │ type │  size   │   modified    │
├────┼──────────┼──────┼─────────┼───────────────┤
│  0 │ .cargo   │ dir  │     0 B │ 9 minutes ago │
│  1 │ assets   │ dir  │     0 B │ 2 weeks ago   │
│  2 │ crates   │ dir  │ 4.0 KiB │ 2 weeks ago   │
│  3 │ docker   │ dir  │     0 B │ 2 weeks ago   │
│  4 │ docs     │ dir  │     0 B │ 2 weeks ago   │
│  5 │ images   │ dir  │     0 B │ 2 weeks ago   │
│  6 │ pkg_mgrs │ dir  │     0 B │ 2 weeks ago   │
│  7 │ samples  │ dir  │     0 B │ 2 weeks ago   │
│  8 │ src      │ dir  │ 4.0 KiB │ 2 weeks ago   │
│  9 │ target   │ dir  │     0 B │ a day ago     │
│ 10 │ tests    │ dir  │ 4.0 KiB │ 2 weeks ago   │
│ 11 │ wix      │ dir  │     0 B │ 2 weeks ago   │
╰────┴──────────┴──────┴─────────┴───────────────╯

Because most of the time you'll want to see the output of a pipeline, table is assumed. We could have also written the above:

> ls | where type == "dir"

Being able to use the same commands and compose them differently is an important philosophy in Nu. For example, we could use the built-in ps command to get a list of the running processes, using the same where as above.

> ps | where cpu > 0
╭───┬───────┬───────────┬───────┬───────────┬───────────╮
│ # │  pid  │   name    │  cpu  │    mem    │  virtual  │
├───┼───────┼───────────┼───────┼───────────┼───────────┤
│ 02240 │ Slack.exe │ 16.40 │ 178.3 MiB │ 232.6 MiB │
│ 116948 │ Slack.exe │ 16.32 │ 205.0 MiB │ 197.9 MiB │
│ 217700 │ nu.exe    │  3.77 │  26.1 MiB │   8.8 MiB │
╰───┴───────┴───────────┴───────┴───────────┴───────────╯

Opening files

Nu can load file and URL contents as raw text or structured data (if it recognizes the format). For example, you can load a .toml file as structured data and explore it:

> open Cargo.toml
╭──────────────────┬────────────────────╮
│ bin              │ [table 1 row]      │
│ dependencies     │ {record 25 fields} │
│ dev-dependencies │ {record 8 fields}  │
│ features         │ {record 10 fields} │
│ package          │ {record 13 fields} │
│ patch            │ {record 1 field}   │
│ profile          │ {record 3 fields}  │
│ target           │ {record 3 fields}  │
│ workspace        │ {record 1 field}   │
╰──────────────────┴────────────────────╯

We can pipe this into a command that gets the contents of one of the columns:

> open Cargo.toml | get package
╭───────────────┬────────────────────────────────────╮
│ authors       │ [list 1 item]                      │
│ default-run   │ nu                                 │
│ description   │ A new type of shell                │
│ documentation │ https://www.nushell.sh/book/       │
│ edition       │ 2018                               │
│ exclude       │ [list 1 item]                      │
│ homepage      │ https://www.nushell.sh             │
│ license       │ MIT                                │
│ metadata      │ {record 1 field}                   │
│ name          │ nu                                 │
│ repository    │ https://github.com/nushell/nushell │
│ rust-version  │ 1.60                               │
│ version       │ 0.72.0                             │
╰───────────────┴────────────────────────────────────╯

And if needed we can drill down further:

> open Cargo.toml | get package.version
0.72.0

Plugins

Nu supports plugins that offer additional functionality to the shell and follow the same structured data model that built-in commands use. There are a few examples in the crates/nu_plugins_* directories.

Plugins are binaries that are available in your path and follow a nu_plugin_* naming convention. These binaries interact with nu via a simple JSON-RPC protocol where the command identifies itself and passes along its configuration, making it available for use. If the plugin is a filter, data streams to it one element at a time, and it can stream data back in return via stdin/stdout. If the plugin is a sink, it is given the full vector of final data and is given free reign over stdin/stdout to use as it pleases.

The awesome-nu repo lists a variety of nu-plugins while the showcase repo shows off informative blog posts that have been written about Nushell along with videos that highlight technical topics that have been presented.

Goals

Nu adheres closely to a set of goals that make up its design philosophy. As features are added, they are checked against these goals.

  • First and foremost, Nu is cross-platform. Commands and techniques should work across platforms and Nu has first-class support for Windows, macOS, and Linux.

  • Nu ensures compatibility with existing platform-specific executables.

  • Nu's workflow and tools should have the usability expected of modern software in 2022 (and beyond).

  • Nu views data as either structured or unstructured. It is a structured shell like PowerShell.

  • Finally, Nu views data functionally. Rather than using mutation, pipelines act as a means to load, change, and save data without mutable state.

Officially Supported By

Please submit an issue or PR to be added to this list.

Contributing

See Contributing for details. Thanks to all the people who already contributed!

License

The project is made available under the MIT license. See the LICENSE file for more information.