From 5adfce72e1427283c1bb69bd9d2482a0390ce706 Mon Sep 17 00:00:00 2001
From: Stefan Knudsen <stefan.knudsen@mail.mcgill.ca>
Date: Fri, 27 Apr 2018 19:05:43 -0400
Subject: [PATCH] Warn about invalid arguments to sudo

---
 CHANGELOG.md                |  1 +
 src/ShellCheck/Analytics.hs | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 086d2fb..aa82016 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## Latest - ???
 ### Added
+- SC2232: Warn about invalid arguments to sudo
 - SC2231: Suggest quoting expansions in for loop globs
 - SC2229: Warn about 'read $var'
 - SC2227: Warn about redirections in the middle of 'find' commands
diff --git a/src/ShellCheck/Analytics.hs b/src/ShellCheck/Analytics.hs
index 3205e0f..bea28d2 100644
--- a/src/ShellCheck/Analytics.hs
+++ b/src/ShellCheck/Analytics.hs
@@ -121,6 +121,7 @@ nodeChecks = [
     ,checkTestRedirects
     ,checkIndirectExpansion
     ,checkSudoRedirect
+    ,checkSudoArgs
     ,checkPS1Assignments
     ,checkBackticks
     ,checkInexplicablyUnquoted
@@ -1306,6 +1307,22 @@ checkSudoRedirect _ (T_Redirecting _ redirs cmd) | cmd `isCommand` "sudo" =
     special file = concat (oversimplify file) == "/dev/null"
 checkSudoRedirect _ _ = return ()
 
+prop_checkSudoArgs1 = verify checkSudoArgs "sudo cd /root"
+prop_checkSudoArgs2 = verify checkSudoArgs "sudo export x=3"
+prop_checkSudoArgs3 = verifyNot checkSudoArgs "sudo ls /usr/local/protected"
+prop_checkSudoArgs4 = verifyNot checkSudoArgs "sudo ls && export x=3"
+prop_checkSudoArgs5 = verifyNot checkSudoArgs "sudo echo ls"
+checkSudoArgs _ t@(T_SimpleCommand _ _ (_:rest))
+    | t `isCommand` "sudo" = checkArgs args
+    where checkArgs (x:xs)
+              | x `elem` prohibitedArguments = warn (getId t) 2232 $ "Can't use sudo with " ++ x
+              | x `elem` commonCommands = return ()
+              | otherwise = checkArgs xs
+          checkArgs [] = return ()
+          args = map onlyLiteralString $ concat $ map getWordParts rest
+          prohibitedArguments = ["cd", "export"]
+checkSudoArgs _ _ = return ()
+
 prop_checkPS11 = verify checkPS1Assignments "PS1='\\033[1;35m\\$ '"
 prop_checkPS11a= verify checkPS1Assignments "export PS1='\\033[1;35m\\$ '"
 prop_checkPSf2 = verify checkPS1Assignments "PS1='\\h \\e[0m\\$ '"