Dangerous script! - synchronise_with_source.sh

[listerr]

Documentation for this plugin suggests:

How to upgrade this clone:

Execute the synchronise_with_source.sh shell script.

Although there is no more detail on how to run this script.

A perhaps not unreasonable assumption is that, having done composer require ... it should be run from within the
./plugins/kolab_2fa directory.

This script deletes without warning, the contents of the parent directory of which it is run.

I guess it's supposed to be run from within ./plugins/kolab_2fa/lib ? or possibly /plugins/kolab_2fa/bin but bin doesn't seem to be included in the version installed by composer require.

Event then, it nukes any existing config.inc.php (which has, say, the Yubico API key etc in!)

Let's just say I have not had a fun morning.

root@turing:/srv/roundcubemail-1.6.1/plugins# ls -la
drwxr-xr-x  4 root root 4096 Mar 28 12:56 acl
drwxr-xr-x  2 root root 4096 Mar 28 12:56 additional_message_headers
drwxr-xr-x  3 root root 4096 Mar 28 12:56 archive
drwxr-xr-x  3 root root 4096 Mar 28 12:56 attachment_reminder
drwxr-xr-x  2 root root 4096 Mar 28 12:56 autologon
drwxr-xr-x  2 root root 4096 Mar 28 12:56 autologout
drwxr-xr-x  2 root root 4096 Mar 28 13:16 banner_ics
drwxr-xr-x  4 root root 4096 Jun 18  2022 contextmenu
drwxr-xr-x  7 root root 4096 Mar 28 13:16 contextmenu_folder
drwxr-xr-x  2 root root 4096 Mar 28 12:56 database_attachments
drwxr-xr-x  3 root root 4096 Mar 28 12:56 debug_logger
drwxr-xr-x  3 root root 4096 Mar 28 12:56 emoticons
drwxr-xr-x  6 root root 4096 Mar 28 13:19 enigma
drwxr-xr-x  2 root root 4096 Mar 28 12:56 example_addressbook
drwxr-xr-x  5 root root 4096 Mar 28 13:16 fetchmail
drwxr-xr-x  2 root root 4096 Mar 28 12:56 filesystem_attachments
drwxr-xr-x  2 root root 4096 Mar 28 13:16 globaladdressbook
drwxr-xr-x  5 root root 4096 Mar 28 12:56 help
drwxr-xr-x  3 root root 4096 Mar 28 12:56 hide_blockquote
drwxr-xr-x  2 root root 4096 Jan 23 20:03 http_authentication
drwxr-xr-x  2 root root 4096 Mar 28 12:56 identicon
drwxr-xr-x  2 root root 4096 Mar 28 12:56 identity_select
drwxr-xr-x  4 root root 4096 Mar 28 12:56 jqueryui
drwxr-xr-x  2 root root 4096 Mar 28 12:56 krb_authentication
drwxr-xr-x  7 root root 4096 Nov 21  2021 larry
drwxr-xr-x  7 root root 4096 Mar 28 12:56 managesieve
drwxr-xr-x  4 root root 4096 Mar 28 12:56 markasjunk
drwxr-xr-x  3 root root 4096 Mar 28 12:56 newmail_notifier
drwxr-xr-x  3 root root 4096 Mar 28 12:56 new_user_dialog
drwxr-xr-x  2 root root 4096 Mar 28 12:56 new_user_identity
drwxr-xr-x  5 root root 4096 Mar 28 12:56 password
drwxr-xr-x  2 root root 4096 Mar 28 12:56 reconnect
drwxr-xr-x  2 root root 4096 Mar 28 12:56 redundant_attachments
drwxr-xr-x  2 root root 4096 Mar 28 12:56 show_additional_headers
drwxr-xr-x  2 root root 4096 Mar 28 12:56 squirrelmail_usercopy
drwxr-xr-x  3 root root 4096 Mar 28 12:56 subscriptions_option
drwxr-xr-x  4 root root 4096 Jan 17 23:09 twofactor_webauthn
drwxr-xr-x  3 root root 4096 Mar 28 12:56 userinfo
drwxr-xr-x  3 root root 4096 Mar 28 12:56 vcard_attachments
drwxr-xr-x  2 root root 4096 Mar 28 12:56 virtuser_file
drwxr-xr-x  2 root root 4096 Mar 28 12:56 virtuser_query
drwxr-xr-x  3 root root 4096 Mar 28 12:56 zipdownload

root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# chmod 755 ./synchronise_with_source.sh
root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# ./synchronise_with_source.sh
fatal: not a git repository (or any of the parent directories): .git
Cloning into '.'...
remote: Counting objects: 41143, done.
remote: Compressing objects: 100% (14876/14876), done.
remote: Total 41143 (delta 29567), reused 33903 (delta 23810)
Receiving objects: 100% (41143/41143), 11.22 MiB | 559.00 KiB/s, done.
Resolving deltas: 100% (29567/29567), done.
Note: switching to 'roundcubemail-plugins-kolab-3.5.9'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 971c8d71 Bump version
/srv/roundcubemail-1.6.1/plugins/kolab_2fa

:: Done
   Please create latest tag >>roundcubemail-plugins-kolab-3.5.9<<.

root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# ls -alrt
total 0

root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# cd ..
root@turing:/srv/roundcubemail-1.6.1/plugins# ls -lart
total 88
drwxr-xr-x 13 root root  4096 Mar 28 13:23 ..
drwxr-xr-x  3 root root  4096 Mar 28 13:29 kolab_2fa
drwxr-xr-x  3 root root  4096 Mar 28 13:29 lib
-rw-r--r--  1 root root  4555 Mar 28 13:29 config.inc.php.dist
drwxr-xr-x  4 root root  4096 Mar 28 13:29 skins
drwxr-xr-x  2 root root  4096 Mar 28 13:29 localization
-rw-r--r--  1 root root 28567 Mar 28 13:29 kolab_2fa.php
-rw-r--r--  1 root root 13058 Mar 28 13:29 kolab2fa.js
-rw-r--r--  1 root root   863 Mar 28 13:29 composer.json
drwxr-xr-x  6  501   80  4096 Mar 28 13:29 .
-rw-r--r--  1 root root  4213 Mar 28 13:29 README.md

... oopsie! Where did all my plugins go? 😒

.. Would suggest the following;

• Document how this script is supposed to be used.
• Build in a sanity check before clobbering the parent directory, e.g. check for an existing config.inc.php or composer.json belonging to the plugin. (e.g. grep -c '"name": "kolab/kolab_2fa"' composer.json) to check.
• Check we're in the directory we're supposed to be in.
• Backup any existing config.inc.php or leave it alone.