From 3c5c74ff047ba99451b3a1a7689f5c1b84d1634b Mon Sep 17 00:00:00 2001
From: Vidar Holen <spam@vidarholen.net>
Date: Sat, 6 Jan 2018 10:53:53 -0800
Subject: [PATCH] Add quote warning specific to : ${var=val}. Fixes #1084

---
 CHANGELOG.md            |  4 ++++
 ShellCheck/Analytics.hs | 21 +++++++++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4b935cf..320bba4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Latest - ???
+### Added
+- SC2223: Quote warning specific to `: ${var=value}`
+
 ## v0.4.7 - 2017-12-08
 ### Added
 - Statically linked binaries for Linux and Windows (see README.md)!
diff --git a/ShellCheck/Analytics.hs b/ShellCheck/Analytics.hs
index c250b28..ff00922 100644
--- a/ShellCheck/Analytics.hs
+++ b/ShellCheck/Analytics.hs
@@ -1617,16 +1617,23 @@ checkSpacefulness params t =
         modify $ Map.insert name bool
 
     readF _ token name = do
-        spaced <- hasSpaces name
-        return [makeComment InfoC (getId token) 2086 warning |
-                  isExpansion token && spaced
+        spaces <- hasSpaces name
+        return [warning |
+                  isExpansion token && spaces
                   && not (isArrayExpansion token) -- There's another warning for this
                   && not (isCountingReference token)
                   && not (isQuoteFree parents token)
                   && not (isQuotedAlternativeReference token)
                   && not (usedAsCommandName parents token)]
       where
-        warning = "Double quote to prevent globbing and word splitting."
+        warning =
+            if isDefaultAssignment (parentMap params) token
+            then
+                makeComment InfoC (getId token) 2223
+                    "This default assignment may cause DoS due to globbing. Quote it."
+            else
+                makeComment InfoC (getId token) 2086
+                    "Double quote to prevent globbing and word splitting."
 
     writeF _ _ name (DataString SourceExternal) = setSpaces name True >> return []
     writeF _ _ name (DataString SourceInteger) = setSpaces name False >> return []
@@ -1665,6 +1672,12 @@ checkSpacefulness params t =
         globspace = "*?[] \t\n"
         containsAny s = any (`elem` s)
 
+    isDefaultAssignment parents token =
+        let modifier = getBracedModifier $ bracedString token in
+            isExpansion token
+            && any (`isPrefixOf` modifier) ["=", ":="]
+            && isParamTo parents ":" token
+
 prop_checkQuotesInLiterals1 = verifyTree checkQuotesInLiterals "param='--foo=\"bar\"'; app $param"
 prop_checkQuotesInLiterals1a= verifyTree checkQuotesInLiterals "param=\"--foo='lolbar'\"; app $param"
 prop_checkQuotesInLiterals2 = verifyNotTree checkQuotesInLiterals "param='--foo=\"bar\"'; app \"$param\""