kitty +open: Ask for permission before executing script files that are not marked as executable

This prevents accidental execution of script files via MIME type
association from programs that unconditionally "open"
attachments/downloaded files via MIME type associations.

docs/changelog.rst

@@ -54,6 +54,9 @@ Detailed list of changes
 
 - Fix re-using an image id for an animated image for a still image causing a crash (:iss:`6244`)
 
+- kitty +open: Ask for permission before executing script files that are not marked as executable. This prevents accidental execution
+  of script files via MIME type association from programs that unconditionally "open" attachments/downloaded files via MIME type associations.
+
 0.28.1 [2023-04-21]
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

kittens/ask/choices.go

@@ -60,7 +60,7 @@ func extra_for(width, screen_width int) int {
 	return utils.Max(0, screen_width-width)/2 + 1
 }
 
-func choices(o *Options) (response string, err error) {
+func GetChoices(o *Options) (response string, err error) {
 	response = ""
 	lp, err := loop.New()
 	if err != nil {

kittens/ask/main.go

@@ -33,7 +33,7 @@ func main(_ *cli.Command, o *Options, args []string) (rc int, err error) {
 	}
 	switch o.Type {
 	case "yesno", "choices":
-		result.Response, err = choices(o)
+		result.Response, err = GetChoices(o)
 		if err != nil {
 			return 1, err
 		}

kitty/entry_points.py

@@ -94,6 +94,7 @@ def edit(args: List[str]) -> None:
 
 
 def shebang(args: List[str]) -> None:
+    from kitty.constants import kitten_exe
     script_path = args[1]
     cmd = args[2:]
     if cmd == ['__ext__']:
@@ -111,7 +112,7 @@ def shebang(args: List[str]) -> None:
                 cmd = line.split(' ')
             else:
                 cmd = line.split(' ', maxsplit=1)
-    os.execvp(cmd[0], cmd + [script_path])
+    os.execvp(kitten_exe(), ['kitten', '__confirm_and_run_shebang__'] + cmd + [script_path])
 
 
 def run_kitten(args: List[str]) -> None:

tools/cmd/tool/confirm_and_run_shebang.go

@@ -0,0 +1,48 @@
+// License: GPLv3 Copyright: 2023, Kovid Goyal, <kovid at kovidgoyal.net>
+
+package tool
+
+import (
+	"fmt"
+	"os"
+
+	"golang.org/x/sys/unix"
+
+	"kitty/kittens/ask"
+	"kitty/tools/cli/markup"
+	"kitty/tools/utils"
+)
+
+var _ = fmt.Print
+
+func ask_for_permission(script_path string) (allowed bool, err error) {
+	opts := &ask.Options{Type: "yesno", Default: "n"}
+
+	ctx := markup.New(true)
+	opts.Message = ctx.Prettify(fmt.Sprintf(
+		"Attempting to execute the script: :yellow:`%s`\nExecuting untrusted scripts can be dangerous. Proceed anyway?", script_path))
+	response, err := ask.GetChoices(opts)
+	return response == "y", err
+}
+
+func confirm_and_run_shebang(args []string) (rc int, err error) {
+	script_path := args[len(args)-1]
+	if unix.Access(script_path, unix.X_OK) != nil {
+		allowed, err := ask_for_permission(script_path)
+		if err != nil {
+			return 1, err
+		}
+		if !allowed {
+			return 1, fmt.Errorf("Execution permission refused by user")
+		}
+	}
+	exe := utils.FindExe(args[0])
+	if exe == "" {
+		return 1, fmt.Errorf("Failed to find the script interpreter: %s", args[0])
+	}
+	err = unix.Exec(exe, args, os.Environ())
+	if err != nil {
+		rc = 1
+	}
+	return
+}

tools/cmd/tool/main.go

@@ -67,4 +67,13 @@ func KittyToolEntryPoints(root *cli.Command) {
 			return
 		},
 	})
+	// __confirm_and_run_shebang__
+	root.AddSubCommand(&cli.Command{
+		Name:            "__confirm_and_run_shebang__",
+		Hidden:          true,
+		OnlyArgsAllowed: true,
+		Run: func(cmd *cli.Command, args []string) (rc int, err error) {
+			return confirm_and_run_shebang(args)
+		},
+	})
 }