About downloading a remote config

[lewis-yeung]

I'm testing logic about how OMP uses a remote config and I gets two ideas on it. Ready to create a new PR.

💡 Idea 1: Support both HTTPS & HTTP URLs

A remote config URL may be an HTTP one, e.g., from a private site instead of raw.githubusercontent.com only.

💡 Idea 2: Do not resolve the URL when a download fails

When I test oh-my-posh init pwsh in a bare PowerShell (launched with -NoProfile option) on Windows and without an Internet connection, it shows:

(@(&"<path_to_omp>/oh-my-posh.exe" init pwsh --config="<current_working_dir>\https:\raw.githubusercontent.com\JanDeDobbeleer\oh-my-posh\v7.71.2\themes\default.omp.json" --print) -join "`n") | Invoke-Expression

That means when the download of a remote config fails, the URL will be mistakenly resolved to an absolute path by joining with the CWD.

oh-my-posh/src/environment/shell.go

Lines 236 to 240 in 623fabc

	if strings.HasPrefix(env.CmdFlags.Config, "https://") {
	if err := env.downloadConfig(env.CmdFlags.Config); err == nil {
	return
	}
	}

oh-my-posh/src/environment/shell.go

Lines 251 to 255 in 623fabc

	if !filepath.IsAbs(configFile) {
	if absConfigFile, err := filepath.Abs(configFile); err == nil {
	configFile = absConfigFile
	}
	}

In most cases it will not cause a problem since the fake path will not actually flow into $env:POSH_THEME in PowerShell. However, when I test oh-my-posh init zsh in zsh on WSL, it shows:

export POSH_THEME="<current_working_dir>/https:/raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/v7.71.2/themes/default.omp.json"
export POWERLINE_COMMAND="oh-my-posh"
export CONDA_PROMPT_MODIFIER=false
...

The env POSH_THEME represents an invalid path in this case.

I think we can make the check like this:

if err := env.downloadConfig(env.CmdFlags.Config); err != nil {
	// make it use default config when download fails
	env.CmdFlags.Config = ""
	return
}

where an early return is reasonable since a default config will definitely be used in this case.

[JanDeDobbeleer]

Idea 1 is not an option as that's a potential security issue. I deliberately only allow https.

Everything else is good as that was also still on my list as I noticed it somewhere last week during another fix.

[lewis-yeung]

Sorry but I don't quite understand how can this happen... Isn't it a string literal surrounded by double quotes? I can only find a constant definition BASH = "bash" in package shell:

oh-my-posh/src/shell/constants.go

Line 5 in 0472cad

BASH = "bash"

Besides, in Git Bash I tried something like eval "$(oh-my-posh init bash --config "/c/path/to/my_theme.omp.json")", and then echo $POSH_THEME, which showed a Windows-style path (with backslashes). This didn't seem to be the expected result. (I have read #1541.)

[JanDeDobbeleer]

You're right, I missed the quotes. They need to be removed indeed. Using shell.BASH is what we need.

[lewis-yeung]

Using shell.BASH leads to an import cycle between package environment and shell, should we use "bash" directly?

[JanDeDobbeleer]

Yes, no other choice in that case.

[lewis-yeung]

@JanDeDobbeleer Will these be fixed in the next release? 😄