fix: avoid operand evaluation as argument

Explicit end option parsing as the shell can be quite dangerous without
it.

files/dom0/.local/bin/dom0/qvm-backup-dom0-provision

@@ -15,6 +15,6 @@ source_dirs="
 target_dir="/home/user/backup/$(date +%Y-%m-%d_%H-%M)"
 
 for dir in ${source_dirs}; do
-  mkdir -p "${target_dir}${dir}"
-  cp -a "${dir}"/* "${target_dir}/${dir}"
+  mkdir -p -- "${target_dir}${dir}"
+  cp -a -- "${dir}"/* "${target_dir}/${dir}"
 done

files/dom0/.local/bin/dom0/qvm-stats

@@ -20,7 +20,7 @@ fi
 
 sensors_stats () {
   # shellcheck disable=SC2312
-  sensors | grep -E "^(${sensor_lines})"
+  sensors | grep -E -e "^(${sensor_lines})"
 }
 
 delay=5
@@ -35,7 +35,7 @@ trap "tput reset" HUP INT QUIT ABRT TERM EXIT
 
 tput reset
 sensors_stats
-echo -e "${header}"
+printf '%b\n' "${header}"
 cpusum=0; memsum=0; table="${sumline}"
 # shellcheck disable=SC2016,SC2312
 stdbuf -oL xentop -b -f -d "${delay}" | \
@@ -59,7 +59,7 @@ stdbuf -oL xentop -b -f -d "${delay}" | \
         #clear
         #sensors |grep -E "^(${sensor_lines})"
         sensors_stats
-        echo -e "\033[2K${header}\n"
+        printf '%b\n' "\033[2K${header}\n"
       fi
     done
   )

files/dom0/.local/bin/dom0/qvm-stats-short

@@ -13,6 +13,6 @@
 ##   2) Right click on the newly added monitor and choose properties.
 ##   3) Add this script to the command field.
 
-xl list | awk '
+xl list | awk -- '
   BEGIN { mem=0; qubes=0; } / [0-9]+ +[0-9]+ +[0-9]+ / { mem+=$3; qubes++; }
   END { printf("%dQ|%.1fG\n", qubes, mem/1000); }'

files/dom0/.local/share/bash-completion/completions/qvm

@@ -60,8 +60,8 @@ _complete-qubes() {
       state_re='[^|]\+'
       ;;
   esac
-  qubes=$(qvm-ls --raw-data | grep -v '^dom0|' | \
-    grep -i "^[^|]\+|${state_re}|" | cut -f1 -d"|")
+  qubes=$(qvm-ls --raw-data | grep -v -e '^dom0|' | \
+    grep -i -e "^[^|]\+|${state_re}|" | cut -f1 -d"|")
   mapfile -t COMPREPLY < <(compgen -W "${qubes}" -- "${cur}")
   return 0
 }

files/git/.config/git/shell/.git-shell-lib

@@ -25,7 +25,7 @@ fail_invalid_name(){
 test_description(){
   key="$1"
   value="$2"
-  if ! (echo "${value}" | grep -E -q "${description_regex}"); then
+  if ! (echo "${value}" | grep -E -q -e "${description_regex}"); then
     fail_invalid_name "${key}"
   fi
 }
@@ -33,7 +33,7 @@ test_description(){
 test_name(){
   key="$1"
   value="$2"
-  if ! (echo "${value}" | grep -E -q "${regex}"); then
+  if ! (echo "${value}" | grep -E -q -e "${regex}"); then
     fail_invalid_name "${key}"
   fi
 }

files/git/.config/git/shell/description

@@ -30,8 +30,8 @@ is_bare "${base}/${section}/${repo}"
 description_file="${base}/${section}/${repo}/description"
 
 if test -z "${3-}"; then
-  test -f "${description_file}" || touch "${description_file}"
-  cat "${description_file}"
+  test -f "${description_file}" || touch -- "${description_file}"
+  cat -- "${description_file}"
   exit 0
 fi
 

files/git/.config/git/shell/help

@@ -8,11 +8,11 @@
 
 set -eu
 
-printf "Available commands:\n"
+printf '%s\n' "Available commands:"
 for f in "${0%/*}"/*; do
   test "${f##*/}" != "help" || continue
   test -f "${f}" || continue
   test -x "${f}" || continue
-  usage="$("${f}" --help 2>&1 | head -1 | sed "s/[Uu]sage: //")"
+  usage="$("${f}" --help 2>&1 | head -1 | sed -e "s/[Uu]sage: //")"
   printf ' %-15s\t\t%s\n' "${f##*/}" "${usage}"
 done

files/git/.config/git/template/hooks/pre-receive.sample

@@ -142,7 +142,7 @@ while read -r oldrev newrev ref; do
       continue
     fi
     commit_tag="$(git rev-list -n1 "${newrev}")"
-    obj_rejected="$(echo "${obj_rejected}" | sed "s/ ${commit_tag} //")"
+    obj_rejected="$(echo "${obj_rejected}" | sed -e "s/ ${commit_tag} //")"
     err "Commit validation done by tag: ${commit_tag} ${newrev}"
     continue
   fi
@@ -191,7 +191,7 @@ while read -r oldrev newrev ref; do
       continue
     fi
     commit_tag="$(git rev-list -n1 "${newrev}")"
-    obj_rejected="$(echo "${obj_rejected}" | sed "s/ ${commit_tag} //")"
+    obj_rejected="$(echo "${obj_rejected}" | sed -e "s/ ${commit_tag} //")"
     err "Commit validation done by tag: ${commit_tag} ${newrev}"
     continue
   fi

files/git/.config/git/template/hooks/prepare-commit-msg

@@ -15,12 +15,13 @@ file="$1"
 #sha1="$3"
 
 char="$(git config --get core.commentChar || echo "#")"
-template="$(git config --get commit.template | sed "s|^~/|${HOME}/|")"
+template="$(git config --get commit.template | sed -e "s|^~/|${HOME}/|")"
 
 if test "${char}" = "auto"; then
   ## Try to skip the init.template comment char by getting the last match, as
   ## the template will be placed at the beginning of the file.
-  char="$(grep -E "^(#|;|@|!|$|%|^|&|\\||:) " "${file}" | cut -c1 | tail -n1)"
+  char="$(grep -E -e "^(#|;|@|!|$|%|^|&|\\||:) " -- "${file}" | \
+    cut -c1 | tail -n1)"
 fi
 
 ## Remove the default instructional message and its following empty line.
@@ -28,12 +29,12 @@ sed -i'' \
   -e "/^. Please enter the commit message .*. Lines starting$/d" \
   -e "/^. with '.' will be ignored, .* aborts the commit.$/ {
       N; d; }" \
-  "${file}"
+  -- "${file}"
 
 ## Replace init.template comment char to the core.commentChar line per line.
 if test -f "${template}"; then
   while read -r line; do
-    mod_line="$(echo "${line}" | sed "s/^. /${char} /")"
-    sed -i'' "s/^${line}$/${mod_line}/" "${file}"
+    mod_line="$(echo "${line}" | sed -e "s/^. /${char} /")"
+    sed -i'' -e "s/^${line}$/${mod_line}/" -- "${file}"
   done < "${template}"
 fi

files/git/.local/bin/git-client-setup

@@ -43,7 +43,7 @@ else
   set_git_config format.signature "${user}"
 fi
 
-grep \
-  -E "^;*\s+(vim:.*(\s+|:)|vim:(\s*))(ft|filetype)=gitconfig((\s+|:).*|$)" \
-  -q "${gitconfig_file}" ||
-  sed -i'' "1i; ${vim_modeline}" "${gitconfig_file}"
+grep -E \
+  -e "^;*\s+(vim:.*(\s+|:)|vim:(\s*))(ft|filetype)=gitconfig((\s+|:).*|$)" \
+  -q -- "${gitconfig_file}" ||
+  sed -i'' -e "1i; ${vim_modeline}" -- "${gitconfig_file}"

files/git/.local/bin/git-server-setup

@@ -27,22 +27,22 @@ git_home="/var/git"
 git_shell="$(command -v git-shell)"
 
 useradd -m "${git_user}" -d "${git_home}" -s "${git_shell}"
-mkdir -p "${git_home}/src"
+mkdir -p -- "${git_home}/src"
 
-mkdir -p "${git_home}/.ssh"
-chmod 0700 "${git_home}/.ssh"
-touch "${git_home}/.ssh/authorized_keys"
-chmod 0600 "${git_home}/.ssh/authorized_keys"
+mkdir -p -- "${git_home}/.ssh"
+chmod -- 0700 "${git_home}/.ssh"
+touch -- "${git_home}/.ssh/authorized_keys"
+chmod -- 0600 "${git_home}/.ssh/authorized_keys"
 
-mkdir -p "${git_home}/git-shell-commands"
-cp -r "${git_home}/.config/git/shell"/* "${git_home}/git-shell-commands"
-chmod -R 0755 "${git_home}/git-shell-commands"
+mkdir -p -- "${git_home}/git-shell-commands"
+cp -r -- "${git_home}/.config/git/shell"/* "${git_home}/git-shell-commands"
+chmod -R -- 0755 "${git_home}/git-shell-commands"
 
 git config --system receive.updateServerInfo true
 git config --system receive.advertisePushOptions true
-nonce="$(head /dev/urandom |
+nonce="$(head -- /dev/urandom |
   LC_ALL=C tr -dc 'A-Za-z0-9!#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' |
   cut -c 1-256)"
 git config --system receive.certNonceSeed "${nonce}"
 
-chown -R "${git_user}":"${git_user}" "${git_home}"
+chown -R -- "${git_user}":"${git_user}" "${git_home}"

files/qvm-copy-dotfiles

@@ -29,16 +29,16 @@ if test "${qube}" = "dom0"; then
   sh ./dotfiles/setup.sh
   user_name="$(getent group qubes | awk -F "[:,]" '{print $4}')"
   user_home="$(getent passwd "${user_name}" | awk -F ":" '{print $6}')"
-  sudo -u "${user_name}" mkdir -pv "${user_home}/.cache"
-  tmpdir="$(sudo -u "${user_name}" mktemp -d "${user_home}/.cache/XXXXXX")"
+  sudo -u "${user_name}" mkdir -pv -- "${user_home}/.cache"
+  tmpdir="$(sudo -u "${user_name}" -- mktemp -d "${user_home}/.cache/XXXXXX")"
   trap 'rm -rf -- "${tmpdir}"' EXIT INT HUP QUIT ABRT
-  cp -r ./dotfiles "${tmpdir}"
-  chown -R "${user_name}:${user_name}" "${tmpdir}"
-  sudo -u "${user_name}" "${tmpdir}/dotfiles/setup.sh"
+  cp -r -- ./dotfiles "${tmpdir}"
+  chown -R -- "${user_name}:${user_name}" "${tmpdir}"
+  sudo -u "${user_name}" -- "${tmpdir}/dotfiles/setup.sh"
   exit
 fi
 
-qvm-run -q "${qube}" -- "rm -rf ~/QubesIncoming/dom0/files"
+qvm-run -q "${qube}" -- "rm -rf -- ~/QubesIncoming/dom0/files"
 qvm-copy-to-vm "${qube}" ../files
 qvm-run -q "${qube}" -- "sh ~/QubesIncoming/dom0/files/setup.sh"
-qvm-run -q "${qube}" -- "rm -rf ~/QubesIncoming/dom0/files"
+qvm-run -q "${qube}" -- "rm -rf -- ~/QubesIncoming/dom0/files"

files/setup.sh

@@ -46,6 +46,6 @@ for dir in ${args}; do
       "."|"..") continue;;
       *) ;;
     esac
-    cp -rv "${file}" "${HOME}"
+    cp -rv -- "${file}" "${HOME}"
   done
 done

files/sh/.config/bash/bashrc

@@ -33,7 +33,7 @@ alias reload="exec bash"
 ## }}}
 ## {{{ Prompt
 if test -z "${debian_chroot:-}" && test -r /etc/debian_chroot; then
-  debian_chroot="$(cat /etc/debian_chroot)"
+  debian_chroot="$(cat -- /etc/debian_chroot)"
 fi
 
 _reset_line() {
@@ -72,7 +72,7 @@ _reset_line() {
 _print_ec(){
   test "${_ec_ps1}" = "0" && return
   if test "${color_prompt:-}" = "yes"; then
-    printf %s"(\001\033[31m\002${_ec_ps1}\001\033[0m\002)"
+    printf '%b%s%b' "(\001\033[31m\002" "${_ec_ps1}" "\001\033[0m\002)"
   else
     printf '%s' "(${_ec_ps1})"
   fi

files/sh/.config/sh/profile

@@ -8,9 +8,9 @@
 # shellcheck disable=SC2312
 : "${HOME:=$(cd ~ && pwd)}"
 # shellcheck disable=SC2312
-: "${USER:=$(id -un || printf %s "${HOME##*/}")}"
+: "${USER:=$(id -un || printf '%s' "${HOME##*/}")}"
 # shellcheck disable=SC2312
-: "${UID:=$(id -u || awk -F ":" -v user="${USER}" '/^user:/{print $3}' \
+: "${UID:=$(id -u || awk -F ":" -v user="${USER}" -- '/^user:/{print $3}' \
   /etc/passwd)}"
 # shellcheck disable=SC2312
 : "${HOSTNAME:=$(hostname)}"
@@ -22,10 +22,10 @@ XDG_CACHE_HOME="${HOME}/.cache"
 XDG_DATA_HOME="${HOME}/.local/share"
 XDG_STATE_HOME="${HOME}/.local/state"
 export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
-mkdir -p "${XDG_CONFIG_HOME}" "${XDG_CACHE_HOME}" "${XDG_DATA_HOME}" \
+mkdir -p -- "${XDG_CONFIG_HOME}" "${XDG_CACHE_HOME}" "${XDG_DATA_HOME}" \
   "${XDG_STATE_HOME}"
 ## Set XDG_*_DIR variables.
-xdg_dirs="$(awk '/^[ ]*XDG_[A-Z]*_DIR=/{print "export " $1}' \
+xdg_dirs="$(awk -- '/^[ ]*XDG_[A-Z]*_DIR=/{print "export " $1}' \
   "${XDG_CONFIG_HOME}/user-dirs.dirs")"
 eval "${xdg_dirs}"
 
@@ -140,7 +140,7 @@ ssh_agent_dir="${TMPDIR}/ssh-agent-${USER}"
 ssh_agent_sock="${ssh_agent_dir}/agent.sock"
 ssh_agent_pid="${ssh_agent_dir}/agent.pid"
 if test -z "${SSH_AUTH_SOCK-}" && has ssh-agent; then
-  test -d "${ssh_agent_dir}" || mkdir -p "${ssh_agent_dir}"
+  test -d "${ssh_agent_dir}" || mkdir -p -- "${ssh_agent_dir}"
   if test -S "${ssh_agent_sock}" &&
     test -r "${ssh_agent_sock}" &&
     test -w "${ssh_agent_sock}" &&

files/sh/.config/sh/shrc

@@ -38,8 +38,8 @@ if has lsblk; then
   alias lsblk='lsblk -o ${_lsblk_options}'
   alias lsblku='lsblk -o ${_lsblk_options},UUID,PARTUUID'
 fi
-if ! grep --color 2>&1 | grep -qE "(unrecognized|unknown) option" &&
-  ! grep --exclude 2>&1 | grep -qE "(unrecognized|unknown) option"
+if ! grep --color 2>&1 | grep -qE -e "(unrecognized|unknown) option" &&
+  ! grep --exclude 2>&1 | grep -qE -e "(unrecognized|unknown) option"
 then
   alias grep="grep --exclude='.*.swp' --exclude='*~' --color=auto"
 fi
@@ -66,7 +66,7 @@ cd_up(){
     [1-9])
       has seq || return
       # shellcheck disable=SC2312
-      cd "$(printf "%0.0s../" $(seq 1 "${1}"))" || return
+      cd "$(printf '%0.0s../' $(seq 1 "${1}"))" || return
       ;;
     "")
       cd .. || return;;
@@ -224,7 +224,7 @@ _get_prompt_time(){
   test -n "${SECONDS:-}" || return
   # shellcheck disable=SC2154
   _ptime="$((SECONDS-_saved_prompt_time))"
-  printf "%02d:%02d:%02d" \
+  printf '%02d:%02d:%02d' \
     "$((_ptime/3600))" "$(((_ptime%3600)/60))" "$((_ptime%60))"
 }
 
@@ -321,13 +321,13 @@ _fzf_comprun() {
 
   case "${_fzf_command}" in
     cd) if has tree; then
-          fzf --preview 'tree -C {} | head -200' "${@}"
+          fzf --preview 'tree -C -- {} | head -200' "${@}"
         else
           fzf "${@}"
         fi
         ;;
     export|unset)
-      fzf --preview "eval 'echo \$'{}" "${@}"
+      fzf --preview "eval 'printf '%s\n' \$'{}" "${@}"
       ;;
     ssh)
       if has dig; then
@@ -335,7 +335,7 @@ _fzf_comprun() {
       fi
       ;;
     *)
-      fzf --preview 'test -d {} || cat {}' "${@}"
+      fzf --preview 'test -d {} || cat -- {}' "${@}"
       ;;
   esac
 }

files/sh/.config/zsh/.zshrc

@@ -211,8 +211,8 @@ fi
 ## Load completions.
 autoload -Uz compinit
 zmodload zsh/complist
-mkdir -p "$XDG_CACHE_HOME/zsh"
-compinit -u -d "$XDG_CACHE_HOME/zsh/zcompdump"
+mkdir -p -- "$XDG_CACHE_HOME/zsh"
+compinit -u -d -- "$XDG_CACHE_HOME/zsh/zcompdump"
 # _comp_options+=(globdots)
 ! has zoxide || eval "$(zoxide init zsh)"
 ! has gitlint || eval "$(_GITLINT_COMPLETE=zsh_source gitlint)"
@@ -481,7 +481,7 @@ bindkey -M vicmd "^E" edit-command-line
 bindkey -M emacs "\ea" change-first-word
 bindkey -M emacs "^XD" describe-key-briefly
 
-for binding in ${(f)$(bindkey -M emacs|grep '^"\^X')}; do
+for binding in ${(f)$(bindkey -M emacs|grep -e '^"\^X')}; do
   bindkey -M viins "${(@Qz)binding}"
 done
 unset binding

files/sh/.local/bin/gpg-sign-email

@@ -28,7 +28,7 @@ set -eu
 if test -z "${1-}"; then
   printf '%s\n' "usage: ${0##*/} [PATCH] [PATCH...]"
   printf '%s\n' "example: ${0##*/} *.patch"
-  printf "info: signed files are saved with the suffix '.asc'\n"
+  printf '%s\n' "info: signed files are saved with the suffix '.asc'"
   exit 1
 fi
 
@@ -39,7 +39,7 @@ if test -z "${vi_cmd}"; then
 fi
 
 for f in "${@}"; do
-  cp "${f}" "${f}.asc"
+  cp -- "${f}" "${f}.asc"
   "${vi_cmd}" -u NONE \
     -c 'set nomodeline' -c 'norm gg}j' \
     -c '.,$!gpg -a --clear-sign' \

files/sh/.local/bin/resize-terminal

@@ -24,12 +24,12 @@ if test "${#}" -eq 0; then
   term_file_wanted="ttyUSB ttyS"
   ## Consoles are desired.
   if test -r /sys/class/tty/console/active; then
-    active_console="$(cat /sys/class/tty/console/active)"
+    active_console="$(cat -- /sys/class/tty/console/active)"
     term_file_wanted="${term_file_wanted} ${active_console}"
     unset active_console
   fi
   term_file_active=0
-  for tf in $(printf %s"${term_file_wanted}"); do
+  for tf in $(printf '%s' "${term_file_wanted}"); do
     case "${term_file}" in
       *"/${tf}"*) term_file_active=1;;
       *) ;;

files/tmux/.local/bin/ta

@@ -20,16 +20,16 @@ new(){
   ## Session name was not specified.
   list="$(tmux list-sessions 2>/dev/null)"
 
-  printf "Choose session or create one by providing a new name:\n"
+  printf '%s\n' "Choose session or create one by providing a new name:"
   if test -n "${list}"; then
-    printf %s"\n${list}\n"
+    printf '\n%s\n' "${list}"
   fi
 
-  printf "\nEnter session name: "
+  printf '\n%s' "Enter session name: "
   read -r name
 
   if test -z "${name}"; then
-    printf "Name cannot be empty.\n"
+    printf '%s\n' "Name cannot be empty."
     return 1
   fi
 }
@@ -61,7 +61,7 @@ main(){
       else
 
         ## No last session, choose one or create one.
-        printf "Last session not found.\n"
+        printf '%s\n' "Last session not found."
         new
 
         if tmux has-session -t "${name}" 2>/dev/null; then

files/x11/.config/x11/xprofile

@@ -39,14 +39,14 @@ desktop_autostart(){
     return 0
   fi
 
-  touch "${TMPDIR:-/tmp}/touch-desktop-autostart"
+  touch -- "${TMPDIR:-/tmp}/touch-desktop-autostart"
   autostart_etc="${XDG_CONFIG_DIRS-/etc/xdg}/autostart"
   autostart_home="${XDG_CONFIG_HOME-${HOME}/.config}/autostart"
 
   for f in "${autostart_etc}"/*.desktop "${autostart_home}"/*.desktop; do
     test -r "${f}" || continue
     # shellcheck disable=SC2091
-    autostart_exec="$(awk -F '=' '/^Exec=/{print $2}' "${f}")"
+    autostart_exec="$(awk -F '=' -- '/^Exec=/{print $2}' "${f}")"
     command -v "${autostart_exec%% *}" >/dev/null || continue
     ${autostart_exec} &
   done