Remove broken frivolous function from install script

per1234 · per1234 · commit 127116b30163 · 2022-04-20T06:23:16.000-07:00
The "template" installation script contained a `get()` function used to make an HTTP request.

The response body is required by the caller, but shell functions do not support returning content as you might do when
using a more capable programming language.

As a workaround, the script author set up a system where the caller passed an arbitrary variable name to the function,
which the function then assigns with the response body string.

This was done using the `eval` builtin. The `eval` command was quoted in a naive manner, not considering that the body
content could contain any arbitrary characters. This made it possible that contents of the response body could be
unintentionally executed on the user's machine.

In the context of the installation script, this happened under the following conditions:

- The release download was not available from Arduino's downloads server
- The response body from the Releases GitHub API request contained single quotes

The most minimal fix would likely have been to change the `eval` command so that the variable containing the response
body text was not expanded in the command:

eval "$1=\$GET_BODY"

However, this problem has provided clear evidence that best practices are to avoid `eval` altogether unless absolutely
necessary. Since it is only called once, the entire function is not necessary (and in fact it is questionable whether
there is any real value in the entire GitHub releases fallback system). So I decided the best fix was to do away with
the function altogether, replacing its single call with the contents of the former function. This removed unnecessary
complexity from the script without any decrease in efficiency or increase in maintenance burden.
diff --git a/other/installation-script/install.sh b/other/installation-script/install.sh
@@ -87,25 +87,6 @@ checkLatestVersion() {
   eval "$1='$CHECKLATESTVERSION_TAG'"
 }
 
-get() {
-  GET_URL="$2"
-  echo "Getting $GET_URL"
-  if [ "$DOWNLOAD_TOOL" = "curl" ]; then
-    GET_HTTP_RESPONSE=$(curl -sL --write-out 'HTTPSTATUS:%{http_code}' "$GET_URL")
-    GET_HTTP_STATUS_CODE=$(echo "$GET_HTTP_RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
-    GET_BODY=$(echo "$GET_HTTP_RESPONSE" | sed -e 's/HTTPSTATUS\:.*//g')
-  elif [ "$DOWNLOAD_TOOL" = "wget" ]; then
-    TMP_FILE=$(mktemp)
-    GET_BODY=$(wget --server-response --content-on-error -q -O - "$GET_URL" 2>"$TMP_FILE" || true)
-    GET_HTTP_STATUS_CODE=$(awk '/^  HTTP/{print $2}' "$TMP_FILE")
-  fi
-  if [ "$GET_HTTP_STATUS_CODE" != 200 ]; then
-    echo "Request failed with HTTP status code $GET_HTTP_STATUS_CODE"
-    fail "Body: $GET_BODY"
-  fi
-  eval "$1='$GET_BODY'"
-}
-
 getFile() {
   GETFILE_URL="$1"
   GETFILE_FILE_PATH="$2"
@@ -147,11 +128,24 @@ downloadFile() {
   if [ "$httpStatusCode" -ne 200 ]; then
     echo "Did not find a release for your system: $OS $ARCH"
     echo "Trying to find a release using the GitHub API."
+
     LATEST_RELEASE_URL="https://api.github.com/repos/${PROJECT_OWNER}/$PROJECT_NAME/releases/tags/$TAG"
-    echo "LATEST_RELEASE_URL=$LATEST_RELEASE_URL"
-    get LATEST_RELEASE_JSON "$LATEST_RELEASE_URL"
+    if [ "$DOWNLOAD_TOOL" = "curl" ]; then
+      HTTP_RESPONSE=$(curl -sL --write-out 'HTTPSTATUS:%{http_code}' "$LATEST_RELEASE_URL")
+      HTTP_STATUS_CODE=$(echo "$HTTP_RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
+      BODY=$(echo "$HTTP_RESPONSE" | sed -e 's/HTTPSTATUS\:.*//g')
+    elif [ "$DOWNLOAD_TOOL" = "wget" ]; then
+      TMP_FILE=$(mktemp)
+      BODY=$(wget --server-response --content-on-error -q -O - "$LATEST_RELEASE_URL" 2>"$TMP_FILE" || true)
+      HTTP_STATUS_CODE=$(awk '/^  HTTP/{print $2}' "$TMP_FILE")
+    fi
+    if [ "$HTTP_STATUS_CODE" != 200 ]; then
+      echo "Request failed with HTTP status code $HTTP_STATUS_CODE"
+      fail "Body: $BODY"
+    fi
+
     # || true forces this command to not catch error if grep does not find anything
-    DOWNLOAD_URL=$(echo "$LATEST_RELEASE_JSON" | grep 'browser_' | cut -d\" -f4 | grep "$APPLICATION_DIST") || true
+    DOWNLOAD_URL=$(echo "$BODY" | grep 'browser_' | cut -d\" -f4 | grep "$APPLICATION_DIST") || true
     if [ -z "$DOWNLOAD_URL" ]; then
       echo "Sorry, we dont have a dist for your system: $OS $ARCH"
       fail "You can request one here: https://github.com/${PROJECT_OWNER}/$PROJECT_NAME/issues"
