I guess calling that risky is fair. I have not adequately shown that this covers every possible case. If I was great at formal verification, I could attempt to prove that. Albeit, that would be more work than just using a better method. I viewed this as essentially escaping input. For example, in HTML it is sufficient to escape something like 3 symbols. Here's the filter:

cat | sed -r 's/\$\([^)]+\)//g
s/`[^`]+`//g
s/;.*//g'

Though, there are some filters that I would not view as risky (provided sed does exactly what the regular expression states):

cat | sed -r 's/.*//g'

Maybe a whitelist approach would have been better. In any case, I went with the Bash code you provided. Thanks for the bug report. Fixed.



On Wed, Oct 25, 2017 at 1:55 AM, Alad Wenter <alad@mailbox.org> wrote:
> However, I at present do not believe spinach is "risky." It does not source
> the PKGBUILD directly. I do not think it will allow arbitrary code
> execution before viewing unless there is a method for executing code in a
> string in Bash other than with tick marks or $(...). I would easily be
> convinced that it is risky if I could find such an example. Note that such
> things are listed in a security section in the man page. Though, as you
> said, I could (and should) change this fairly easily to use a more modern
> method.
>
You're running executable code in the hopes that you've covered every possible case with an adhoc filter. That fits the definition of "risk" pretty well.

> In my view this discussion might be more suited as a bug report for spinach
> rather than a cause for deleting the package, but delete it if you wish.
>
When I filed the request I was looking at the git history, with the latest commit in 2014 (that's long before AUR 4). Since you as the author are ostensibly still alive, I've filed an issue with possible implementations:

https://github.com/floft/spinach/issues/2