(command.CommandList children: [ (command.ShFunction name: err_exit body: (BraceGroup left: <Id.Lit_LBrace '{'> children: [ (C {<print>} {<-u2>} {<-n>} {(DQ <Id.Lit_BadBackslash '\\'> <t>)}) (C {<print>} {<-u2>} {<-r>} {(${ Id.VSub_Name Command) <Id.Lit_LBracket '['> ($ Id.VSub_Number 1) <Id.Lit_RBracket ']'> <Id.Lit_Colon ':'> } { (DQ (braced_var_sub left: <Id.Left_DollarBrace '${'> token: <Id.VSub_At '@'> var_name: '@' suffix_op: (suffix_op.Slice begin:{<Id.Lit_Digits 2>}) right: <Id.Arith_RBrace _> ) ) } ) (C {<let>} {<Id.Lit_VarLike 'Errors+='> <1>}) ] redirects: [] right: <Id.Lit_RBrace '}'> ) ) (C {<alias>} {<Id.Lit_VarLike 'err_exit='> (SQ <'err_exit $LINENO'>)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'Command='> name:Command) op: assign_op.Equal rhs: { (braced_var_sub left: <Id.Left_DollarBrace '${'> token: <Id.VSub_Number 0> var_name: 0 suffix_op: (suffix_op.Unary op: <Id.VOp1_DPound '##'> arg_word: {<Id.Lit_Other '*'> <Id.Lit_Slash '/'>} ) right: <Id.Right_DollarBrace '}'> ) } spids: [114] ) ] redirects: [] ) (C {<integer>} {<Id.Lit_VarLike 'Errors='> <0>}) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'tmp='> name:tmp) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (C {<mktemp>} {<-dt>}) right: <Id.Eof_RParen _> ) } spids: [128] ) ] redirects: [] ) (BraceGroup left: <Id.Lit_LBrace '{'> children: [ (command.Sentence child: (C {<err_exit>} {<mktemp>} {<-dt>} {<failed>}) terminator: <Id.Op_Semi _> ) (command.Sentence child: (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<1>}) terminator: <Id.Op_Semi _> ) ] redirects: [] right: <Id.Lit_RBrace '}'> ) ] ) (C {<trap>} {(DQ <'cd /; rm -rf '> ($ Id.VSub_DollarName tmp))} {<EXIT>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'pwd='> name:pwd) op: assign_op.Equal rhs: {($ Id.VSub_DollarName PWD)} spids: [168] ) ] redirects: [] ) (command.Case to_match: {($ Id.VSub_DollarName SHELL)} arms: [ (case_arm pat_list:[{<'/'> <Id.Lit_Star '*'>}] action:[] spids:[177 179 181 -1]) (case_arm pat_list: [{<Id.Lit_Star '*'> <'/'> <Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'SHELL='> name:SHELL) op: assign_op.Equal rhs: {($ Id.VSub_DollarName pwd) <'/'> ($ Id.VSub_DollarName SHELL)} spids: [188] ) ] redirects: [] ) ] spids: [183 186 192 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'SHELL='> name:SHELL) op: assign_op.Equal rhs: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (C {<whence>} {(DQ ($ Id.VSub_DollarName SHELL))}) right: <Id.Eof_RParen _> ) } spids: [197] ) ] redirects: [] ) ] spids: [194 195 205 -1] ) ] redirects: [] ) (command.ShFunction name: check_restricted body: (BraceGroup left: <Id.Lit_LBrace '{'> children: [ (C {<rm>} {<-f>} {<out>}) (command.Simple words: [{<rksh>} {<-c>} {(DQ ($ Id.VSub_At '@'))}] redirects: [ (redir op:<Id.Redir_Great '2>'> loc:(redir_loc.Fd fd:2) arg:{<out>}) (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) ] more_env: [] do_fork: T ) (command.Simple words: [{<grep>} {<restricted>} {<out>}] redirects: [ (redir op: <Id.Redir_Great '>'> loc: (redir_loc.Fd fd:1) arg: {<'/dev/null'>} ) (redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>}) ] more_env: [] do_fork: T ) ] redirects: [] right: <Id.Lit_RBrace '}'> ) ) (command.AndOr ops: [Id.Op_DAmp] children: [ (command.DBracket expr: (bool_expr.Binary op_id: Id.BoolBinary_GlobNEqual left: {($ Id.VSub_DollarName SHELL)} right: {<'/'> <Id.Lit_Other '*'>} ) redirects: [] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'SHELL='> name:SHELL) op: assign_op.Equal rhs: {($ Id.VSub_DollarName pwd) <'/'> ($ Id.VSub_DollarName SHELL)} spids: [269] ) ] redirects: [] ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<cd>} {($ Id.VSub_DollarName tmp)}) (C {<err_exit>} {(DQ <'cd '> ($ Id.VSub_DollarName tmp) <' failed'>)}) ] ) (C {<ln>} {<-s>} {($ Id.VSub_DollarName SHELL)} {<rksh>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'PATH='> name:PATH) op: assign_op.Equal rhs: {($ Id.VSub_DollarName PWD) <Id.Lit_Colon ':'> ($ Id.VSub_DollarName PATH)} spids: [296] ) ] redirects: [] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<rksh>} {<-c>} {(SQ <'[[ -o restricted ]]'>)}) (C {<err_exit>} {(SQ <'restricted option not set'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.DBracket expr: (bool_expr.Binary op_id: Id.BoolBinary_GlobDEqual left: { (command_sub left_token: <Id.Left_DollarParen '$('> child: (C {<rksh>} {<-c>} {(SQ <'print hello'>)}) right: <Id.Eof_RParen _> ) } right: {<hello>} ) redirects: [] ) (C {<err_exit>} {(SQ <'unable to run print'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {<'/bin/echo'>}) (C {<err_exit>} {(SQ <'/bin/echo not resticted'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [(C {<check_restricted>} {<'./echo'>}) (C {<err_exit>} {(SQ <'./echo not resticted'>)})] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(SQ <'SHELL=ksh'>)}) (C {<err_exit>} {(SQ <'SHELL asignment not resticted'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(SQ <'PATH=/bin'>)}) (C {<err_exit>} {(SQ <'PATH asignment not resticted'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(SQ <'FPATH=/bin'>)}) (C {<err_exit>} {(SQ <'FPATH asignment not resticted'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(SQ <'ENV=/bin'>)}) (C {<err_exit>} {(SQ <'ENV asignment not resticted'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(SQ <'print > file'>)}) (C {<err_exit>} {(SQ <'> file not restricted'>)}) ] ) (command.Simple words: [] redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<empty>})] more_env: [] do_fork: F ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(SQ <'print <> empty'>)}) (C {<err_exit>} {(SQ <'<> file not restricted'>)}) ] ) (command.Simple words: [{<print>} {(SQ <'echo hello'>)}] redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<script>})] more_env: [] do_fork: T ) (C {<chmod>} {<Id.Lit_Other '+'> <x>} {<'./script'>}) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.Pipeline children: [(C {<check_restricted>} {<script>})] negated: T stderr_indices: [] ) (C {<err_exit>} {(SQ <'script without builtins should run in restricted mode'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {<'./script'>}) (C {<err_exit>} {(SQ <'script with / in name should not run in restricted mode'>)}) ] ) (command.Simple words: [{<print>} {(SQ <'/bin/echo hello'>)}] redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<script>})] more_env: [] do_fork: T ) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.Pipeline children: [(C {<check_restricted>} {<script>})] negated: T stderr_indices: [] ) (C {<err_exit>} {(SQ <'script with pathnames should run in restricted mode'>)}) ] ) (command.Simple words: [{<print>} {(SQ <'echo hello> file'>)}] redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<script>})] more_env: [] do_fork: T ) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.Pipeline children: [(C {<check_restricted>} {<script>})] negated: T stderr_indices: [] ) (C {<err_exit>} {(SQ <'script with output redirection should run in restricted mode'>)}) ] ) (command.Simple words: [{<print>} {(SQ <'PATH=/bin'>)}] redirects: [(redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<script>})] more_env: [] do_fork: T ) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.Pipeline children: [(C {<check_restricted>} {<script>})] negated: T stderr_indices: [] ) (C {<err_exit>} {(SQ <'script with PATH assignment should run in restricted mode'>)}) ] ) (command.Simple words: [{<cat>}] redirects: [ (redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<script>}) (redir op: <Id.Redir_DLess '<<'> loc: (redir_loc.Fd fd:0) arg: (redir_param.HereDoc here_begin: {<Id.KW_Bang '!'>} here_end_span_id: 584 stdin_parts: [<'#! '> ($ Id.VSub_DollarName SHELL) <'\n'> <'print hello\n'>] ) ) ] more_env: [] do_fork: T ) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.Pipeline children: [(C {<check_restricted>} {(SQ <'script;:'>)})] negated: T stderr_indices: [] ) (C {<err_exit>} {(SQ <'script with #! pathname should run in restricted mode'>)}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (command.Pipeline children: [(C {<check_restricted>} {(SQ <script>)})] negated: T stderr_indices: [] ) (C {<err_exit>} { (SQ < 'script with #! pathname should run in restricted mode even if last command in script' > ) } ) ] ) (command.ForEach iter_names: [i] iterable: (for_iter.Words words:[{<PATH>} {<ENV>} {<FPATH>}]) body: (command.DoGroup children: [ (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<check_restricted>} {(DQ <'function foo { typeset '> ($ Id.VSub_DollarName i) <'=foobar;};foo'>)} ) (C {<err_exit>} {(DQ ($ Id.VSub_DollarName i) <' can be changed in function by using typeset'>)} ) ] ) ] ) redirects: [] ) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {(word_part.ArithSub anode:($ Id.Lit_ArithVarLike Errors))} ) ] )