cocaine 0.5.2 → 0.5.3
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +1 -1
- data/lib/cocaine/command_line.rb +12 -2
- data/lib/cocaine/version.rb +1 -1
- data/spec/cocaine/command_line_spec.rb +14 -0
- metadata +2 -2
data/README.md
CHANGED
|
@@ -34,7 +34,7 @@ line = Cocaine::CommandLine.new("cat", ":file")
|
|
|
34
34
|
line.command(:file => "ohyeah?'`rm -rf /`.ha!") # => "cat 'ohyeah?'\\''`rm -rf /`.ha!'"
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
-
NOTE: It only does that for arguments interpolated via `run`, NOT
|
|
37
|
+
NOTE: It only does that for arguments interpolated via `run`, NOT arguments
|
|
38
38
|
passed into `new` (see 'Security' below):
|
|
39
39
|
|
|
40
40
|
```ruby
|
data/lib/cocaine/command_line.rb
CHANGED
|
@@ -122,11 +122,21 @@ module Cocaine
|
|
|
122
122
|
end
|
|
123
123
|
|
|
124
124
|
def interpolate(pattern, interpolations)
|
|
125
|
-
interpolations
|
|
126
|
-
|
|
125
|
+
interpolations = stringify_keys(interpolations)
|
|
126
|
+
pattern.gsub(/:\{?(\w+)\b\}?/) do |match|
|
|
127
|
+
key = match.tr(":{}", "")
|
|
128
|
+
interpolations.key?(key) ? shell_quote(interpolations[key]) : match
|
|
127
129
|
end
|
|
128
130
|
end
|
|
129
131
|
|
|
132
|
+
def stringify_keys(hash)
|
|
133
|
+
hash = hash.dup
|
|
134
|
+
hash.keys.each do |key|
|
|
135
|
+
hash[key.to_s] = hash.delete(key)
|
|
136
|
+
end
|
|
137
|
+
hash
|
|
138
|
+
end
|
|
139
|
+
|
|
130
140
|
def shell_quote(string)
|
|
131
141
|
return "" if string.nil?
|
|
132
142
|
if unix?
|
data/lib/cocaine/version.rb
CHANGED
|
@@ -64,6 +64,15 @@ describe Cocaine::CommandLine do
|
|
|
64
64
|
command_string.should == "convert 'a.jpg' 'b.png'"
|
|
65
65
|
end
|
|
66
66
|
|
|
67
|
+
it 'does not over-interpolate in a command line' do
|
|
68
|
+
cmd = Cocaine::CommandLine.new("convert",
|
|
69
|
+
":hell :{two} :hello",
|
|
70
|
+
:swallow_stderr => false)
|
|
71
|
+
|
|
72
|
+
command_string = cmd.command(:hell => "a.jpg", :two => "b.png", :hello => "c.tiff")
|
|
73
|
+
command_string.should == "convert 'a.jpg' 'b.png' 'c.tiff'"
|
|
74
|
+
end
|
|
75
|
+
|
|
67
76
|
it "interpolates when running a command" do
|
|
68
77
|
command = Cocaine::CommandLine.new("echo", ":hello_world")
|
|
69
78
|
command.run(:hello_world => "Hello, world").should match(/Hello, world/)
|
|
@@ -95,6 +104,11 @@ describe Cocaine::CommandLine do
|
|
|
95
104
|
command_string.should == "convert '`rm -rf`.jpg' 'ha'\\''ha.png'"
|
|
96
105
|
end
|
|
97
106
|
|
|
107
|
+
it 'cannot recursively introduce a place where user-supplied commands can run' do
|
|
108
|
+
cmd = Cocaine::CommandLine.new('convert', ':foo :bar')
|
|
109
|
+
cmd.command(:foo => ':bar', :bar => '`rm -rf`').should == 'convert \':bar\' \'`rm -rf`\''
|
|
110
|
+
end
|
|
111
|
+
|
|
98
112
|
it "can quote and interpolate dangerous variables even on windows" do
|
|
99
113
|
on_windows!
|
|
100
114
|
cmd = Cocaine::CommandLine.new("convert",
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cocaine
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.3
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-
|
|
12
|
+
date: 2013-10-22 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: climate_control
|