usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

scripts: Use bash-builtin `command -v` instead of external `which`

Open a1346054 opened this issue 3 years ago • 5 comments
trafficstars

command -v is a bash builtin and is a standardized version of which

a1346054 avatar Sep 12 '22 23:09 a1346054

The behavior of command -v regarding functions and aliases should not be a problem because user-defined functions and aliases don't persist into scripts.

Additionally, command -v is not just a bash builtin, it's defined by POSIX, so it behaves the same everywhere.

type -P is not POSIX

a1346054 avatar Sep 13 '22 13:09 a1346054

The behavior of command -v regarding functions and aliases should not be a problem because user-defined functions and aliases don't persist into scripts.

True, but someone could add functions right into these scripts. I'm not saying it's super likely to happen but command is not a fit in that regard. It's not a drop-in replacment to which.

Additionally, command -v is not just a bash builtin, it's defined by POSIX, so it behaves the same everywhere.

type -P is not POSIX

Our target is Bash, not POSIX.

hartwork avatar Sep 13 '22 14:09 hartwork

True, but someone could add functions right into these scripts.

then someone could also do type() { echo "something"; }; and break stuff, so we'd need to protect it by calling:

builtin type -P curl

but it gets really crazy if we assume the scenario that users will edit the provided scripts in crazy ways.

Wonder how to fix it if the user did something like:

type() { echo "something"; };
builtin() { echo "anything"; };

a1346054 avatar Sep 13 '22 14:09 a1346054

True, but someone could add functions right into these scripts.

then someone could also do type() { echo "something"; }; and break stuff, so we'd need to protect it by calling:

builtin type -P curl

It doesn't seem to stop there, even builtin() { :; } seems possible, just tried with Bash 5.1.16.

but it gets really crazy if we assume the scenario that users will edit the provided scripts in crazy ways.

I was not speaking of end users. I meant people adjusting these scripts in Git upstream over time.

I think we have both made our points. I would use type -P over command -v because it's more to the point and because we have Bash features available. We can leave the decision to someone with actual merge permissions. @Cropi @radosroka what do you think?

hartwork avatar Sep 13 '22 14:09 hartwork

I was not speaking of end users. I meant people adjusting these scripts in Git upstream over time.

In that case, it might be of interest to note that the behavior of command -v curl is correct there.

If some maintainer for example does:

curl() { wget "$@"; };

with the intention that calling curl is now overridden, then command -v curl will respect that whereas type -P curl will do something else that the maintainer might not have realized.

a1346054 avatar Sep 13 '22 15:09 a1346054