diff options
| author | Samuel Giddins <segiddins@segiddins.me> | 2017-01-05 13:58:46 -0600 |
|---|---|---|
| committer | Samuel Giddins <segiddins@segiddins.me> | 2017-01-05 13:58:46 -0600 |
| commit | 9cad3b74190a1770af608a9c521cadbe0feda516 (patch) | |
| tree | b3ce3c1da6bd358819cba9b6c3b0fefc66ac71b4 | |
| parent | 10695f68c42d9c4de7dd52cbe7781701a30a873c (diff) | |
| download | bundler-seg-git-branch-hash.tar.gz | |
[GitProxy] Use shellwords to escape user inputseg-git-branch-hash
| -rw-r--r-- | lib/bundler/source/git/git_proxy.rb | 3 | ||||
| -rw-r--r-- | spec/install/gemfile/git_spec.rb | 57 | ||||
| -rw-r--r-- | spec/support/builders.rb | 10 |
3 files changed, 65 insertions, 5 deletions
diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb index 4000cc4a4f..e9b9c4dbe4 100644 --- a/lib/bundler/source/git/git_proxy.rb +++ b/lib/bundler/source/git/git_proxy.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true +require "shellwords" require "tempfile" module Bundler class Source @@ -180,7 +181,7 @@ module Bundler def find_local_revision allowed_in_path do - git("rev-parse --verify '#{ref}'", true).strip + git("rev-parse --verify #{Shellwords.shellescape(ref)}", true).strip end end diff --git a/spec/install/gemfile/git_spec.rb b/spec/install/gemfile/git_spec.rb index 3d18d2001d..aa5ca7cfef 100644 --- a/spec/install/gemfile/git_spec.rb +++ b/spec/install/gemfile/git_spec.rb @@ -238,6 +238,63 @@ describe "bundle install with git sources" do expect(the_bundle).to include_gems("foo 1.0") end end + + context "when the branch includes quotes" do + let(:branch) { %('") } + it "works" do + install_gemfile <<-G + git "#{repo}", :branch => #{branch.dump} do + gem "foo" + end + G + + expect(the_bundle).to include_gems("foo 1.0") + end + end + end + + describe "when specifying a tag" do + let(:tag) { "tag" } + let(:repo) { build_git("foo").path } + before(:each) do + update_git("foo", :path => repo, :tag => tag) + end + + it "works" do + install_gemfile <<-G + git "#{repo}", :tag => #{tag.dump} do + gem "foo" + end + G + + expect(the_bundle).to include_gems("foo 1.0") + end + + context "when the tag starts with a `#`" do + let(:tag) { "#149/redirect-url-fragment" } + it "works" do + install_gemfile <<-G + git "#{repo}", :tag => #{tag.dump} do + gem "foo" + end + G + + expect(the_bundle).to include_gems("foo 1.0") + end + end + + context "when the tag includes quotes" do + let(:tag) { %('") } + it "works" do + install_gemfile <<-G + git "#{repo}", :tag => #{tag.dump} do + gem "foo" + end + G + + expect(the_bundle).to include_gems("foo 1.0") + end + end end describe "when specifying local override" do diff --git a/spec/support/builders.rb b/spec/support/builders.rb index 55a7c9f7df..bda808c0b2 100644 --- a/spec/support/builders.rb +++ b/spec/support/builders.rb @@ -1,5 +1,6 @@ # frozen_string_literal: true require "bundler/shared_helpers" +require "shellwords" module Spec module Builders @@ -664,14 +665,15 @@ module Spec if branch = options[:branch] raise "You can't specify `master` as the branch" if branch == "master" + escaped_branch = Shellwords.shellescape(branch) - if `git branch | grep '#{branch}'`.empty? - silently("git branch '#{branch}'") + if `git branch | grep #{escaped_branch}`.empty? + silently("git branch #{escaped_branch}") end - silently("git checkout '#{branch}'") + silently("git checkout #{escaped_branch}") elsif tag = options[:tag] - `git tag '#{tag}'` + `git tag #{Shellwords.shellescape(tag)}` elsif options[:remote] silently("git remote add origin file://#{options[:remote]}") elsif options[:push] |