git-completion: sanitize the command names

Do not declare/execute commands that contain invalid or special characters.

If the autocompleted command contains illegal characters, for example when
misspelling `git pull` as `git [ull`, then the user will see an error. This
patch adds a character whitelist for commands that strips all but
lowercase alphabetic characters and dashes, so that misspells fail silently.

This patch uses the `[[` keyword that is not sh-compatible, but it's
okay since the change affects BASH and ZSH-specific autocomplete
scripts.

Signed-off-by: Vladyslav Burzakovskyy <[email protected]>

Author: MrMebelMan

contrib/completion/git-completion.bash

@@ -2853,6 +2853,7 @@ __git_support_parseopt_helper () {
 __git_complete_command () {
 	local command="$1"
 	local completion_func="_git_${command//-/_}"
+	[[ "$command" =~ [^a-z-] ]] && return 1
 	if ! declare -f $completion_func >/dev/null 2>/dev/null &&
 		declare -f _completion_loader >/dev/null 2>/dev/null
 	then

contrib/completion/git-completion.zsh

@@ -116,8 +116,9 @@ __git_zsh_bash_func ()
 	emulate -L ksh
 
 	local command=$1
-
 	local completion_func="_git_${command//-/_}"
+
+	[[ "$command" =~ [^a-z-] ]] && return
 	declare -f $completion_func >/dev/null && $completion_func && return
 
 	local expansion=$(__git_aliased_command "$command")