command-runner 0.6.1 → 0.7.1

checksums.yaml

@@ -0,0 +1,7 @@
+--- 
+SHA1: 
+  metadata.gz: 35d339b7a9ec8370365504412a82dfb2e18523b3
+  data.tar.gz: 2ed783e009554db92e0374534ebe10dadc6e05de
+SHA512: 
+  metadata.gz: d038c4a0686d3dd7f484bc2a6f3f3eef464c6c1b1b2bab19d2a607ad21cc940d068229ce0af4f21380da9735f0d649f90dfee0ae88f2f8d7a212ab8f8dfff08f
+  data.tar.gz: 7578cae4033ef1491a4d9c3534507d5bda162dcb81711325de219e447ab060610d5fcb0f9852d75cb540cad1578632034205a229efd5f7061393a8c963e0d732

data/README.md

@@ -1,4 +1,6 @@
-# Command Runner [![Build Status](https://travis-ci.org/redjazz96/command-runner.png?branch=master)](https://travis-ci.org/redjazz96/command-runner)
+# Command Runner
+[![Build Status](https://travis-ci.org/redjazz96/command-runner.png?branch=master)](https://travis-ci.org/redjazz96/command-runner) [![Code Climate](https://codeclimate.com/github/redjazz96/command-runner.png)](https://codeclimate.com/github/redjazz96/command-runner)
+
 Runs commands.
 
 ```Ruby
@@ -34,6 +36,7 @@ unless you don't want it to.
 
 ```Ruby
 line = Command::Runner.new("echo", "{{interpolation}}")
+line.force_unsafe!
 message = line.pass(:interpolation => "`uname -a`")
 message.stdout # => "Linux Hyperion 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\n"
 message.line   # => "echo `uname -a`"
@@ -74,10 +77,16 @@ and return the value.
 ## Compatibility
 It works on
 
+- 2.1.0
 - 2.0.0
 - 1.9.3
 - 1.8.7
-- REE
-- JRuby (1.8 Mode)
+- JRuby (2.0 Mode)
+- JRuby (1.9 Mode)
+
 
 unless the travis build fails.
+
+
+[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/redjazz96/command-runner/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+

data/lib/command/runner.rb

@@ -23,10 +23,10 @@ module Command
       # Returns the best backend for messenger to use.
       #
       # @return [#call] a backend to use.
-      def best_backend
-        if Backends::PosixSpawn.available?
+      def best_backend(force_unsafe = false)
+        if Backends::PosixSpawn.available? && !force_unsafe
           Backends::PosixSpawn.new
-        elsif Backends::Spawn.available?
+        elsif Backends::Spawn.available? && !force_unsafe
           Backends::Spawn.new
         elsif Backends::Backticks.available?
           Backends::Backticks.new
@@ -98,7 +98,7 @@ module Command
     # @return [Message, Object] message if no block was given, the
     #   return value of the block otherwise.
     def pass!(interops = {}, options = {}, &block)
-      backend.call(*[contents(interops), options.delete(:env) || {}, options].flatten, &block)
+      backend.call(*[contents(interops), options.delete(:env) || {}, options].flatten(1), &block)
 
     rescue Errno::ENOENT
       raise NoCommandError, @command
@@ -128,6 +128,16 @@ module Command
 
     alias_method :run, :pass
 
+    # Whether or not to force an unsafe backend.  This should only be
+    # used in cases where the developer wants the arguments passed to
+    # a shell, so that the unsafe interpolated arguments can be
+    # shell'd.
+    #
+    # @return [void]
+    def force_unsafe!
+      @backend = self.class.best_backend(true)
+    end
+
     # The command line being run by the runner. Interpolates the
     # arguments with the given interpolations.
     #
@@ -147,27 +157,41 @@ module Command
     #
     # @param string [String] the string to interpolate.
     # @param interops [Hash] the interpolations to make.
-    # @return [String] the interpolated string.
+    # @return [Array<String>] the interpolated string.
     def interpolate(string, interops = {})
       interops = interops.to_a.map { |(k, v)| { k.to_s => v } }.inject(&:merge) || {}
-
-      string.gsub(/(\{{1,2})([0-9a-zA-Z_\-]+)(\}{1,2})/) do |m|
-        if interops.key?($2) && $1.length == $3.length
-          if $1.length < 2 then escape(interops[$2].to_s) else interops[$2] end
+      results = [*string.shellsplit]
+
+      results.map do |part|
+        if part =~ /(\{{1,2})([0-9a-zA-Z_\-]+)(\}{1,2})/
+          if interops.key?($2) && $1.length == $3.length
+            if $1.length == 1
+              escape interops[$2].to_s
+            else
+              interops[$2].to_s.shellsplit
+            end
+          else
+            part
+          end
         else
-          m
+          part
         end
-      end
+      end.flatten
     end
 
     private
 
-    # Escape the given string for a shell.
+    # Escape the given string for a shell if the backend is unsafe,
+    # otherwise it just returns the string.
     #
     # @param string [String] the string to escape.
     # @return [String] the escaped string.
     def escape(string)
-      Shellwords.escape(string)
+      if backend.unsafe?
+        Shellwords.escape(string)
+      else
+        string
+      end
     end
 
   end

data/lib/command/runner/backends/backticks.rb

@@ -1,3 +1,5 @@
+require 'stringio'
+
 module Command
   class Runner
     module Backends
@@ -11,6 +13,10 @@ module Command
           true
         end
 
+        def self.unsafe?
+          true
+        end
+
         # Initialize the fake backend.
         def initialize
           super
@@ -36,10 +42,14 @@ module Command
 
           with_modified_env(env) do
             start_time = Time.now
-            output << `#{command} #{arguments}`
+            output << `#{command} #{arguments.join(' ')}`
             end_time = Time.now
           end
 
+          if $?.exitstatus == 127
+            raise NoCommandError
+          end
+
           message = Message.new :process_id => $?.pid,
                       :exit_code => $?.exitstatus,
                       :finished => true,
@@ -47,7 +57,7 @@ module Command
                       :env => env,
                       :options => {},
                       :stdout => output,
-                      :line => [command, arguments].join(' '),
+                      :line => [command, arguments].flatten.join(' '),
                       :executed => true,
                       :status => $?
 

data/lib/command/runner/backends/fake.rb

@@ -16,6 +16,17 @@ module Command
           true
         end
 
+        # A backend is considered unsafe when the arguments are
+        # exposed directly to the shell.  This is a vulnerability, so
+        # we mark the class as unsafe and when we're about to pass
+        # the arguments to the backend, escape the safe
+        # interpolations.
+        #
+        # @return [Boolean]
+        def self.unsafe?
+          false
+        end
+
         # Initialize the fake backend.
         def initialize
           @ran = []
@@ -41,7 +52,7 @@ module Command
           @ran << [command, arguments]
 
           message = Message.new :env => env, :options => options, :line =>
-            [command, arguments].join(' ')
+            [command, *arguments].join(' ')
         end
 
         # Determines whether or not the given command and arguments were
@@ -52,7 +63,12 @@ module Command
         # @param arguments [String]
         # @return [Boolean]
         def ran?(command, arguments)
-          @ran.include?([command, arguments])
+          @ran.include?([command, *arguments])
+        end
+
+        # (see ::unsafe?)
+        def unsafe?
+          self.class.unsafe?
         end
 
       end

data/lib/command/runner/backends/posix_spawn.rb

@@ -26,8 +26,8 @@ module Command
         #
         # @see Spawn#spawn
         # @return [Numeric]
-        def spawn(env, line, options)
-          POSIX::Spawn.spawn(env, line, options)
+        def spawn(env, command, arguments, options)
+          POSIX::Spawn.spawn(env, command, *[arguments, options].flatten)
         end
 
       end

data/lib/command/runner/backends/spawn.rb

@@ -44,10 +44,10 @@ module Command
 
           stdin_w.close
 
-          line = [command, arguments].join(' ')
+          line = [command, *arguments].join(' ')
 
           start_time = Time.now
-          process_id = spawn(env, line, new_options)
+          process_id = spawn(env, command, arguments, new_options)
 
           future do
             _, status = wait2(process_id)
@@ -80,8 +80,8 @@ module Command
         #
         # @see Process.spawn
         # @return [Numeric] the process id
-        def spawn(env, line, options)
-          Process.spawn(env, line, options)
+        def spawn(env, command, arguments, options)
+          Process.spawn(env, command, *[arguments, options].flatten)
         end
 
         # Waits for the given process, and returns the process id and the

data/lib/command/runner/backends/ssh.rb

@@ -19,6 +19,10 @@ module Command
           end
         end
 
+        def self.unsafe?
+          true
+        end
+
         # Initializes the backend.
         #
         # @param host [String] the host to connect to.
@@ -36,7 +40,8 @@ module Command
           channel = @net_ssh.open_channel do |ch|
 
 
-            ch.exec "#{command} #{arguments}" do |sch, success|
+            ch.exec "#{command} " \
+              "#{arguments.join(" ").shellescape}" do |sch, success|
               raise Errno::ENOENT unless success
 
               env.each do |k, v|

data/lib/command/runner/version.rb

@@ -3,7 +3,7 @@ module Command
   class Runner
 
     # The current version of Runner.
-    VERSION = "0.6.1".freeze
+    VERSION = "0.7.1".freeze
 
   end
 end

data/spec/backticks_spec.rb

@@ -4,13 +4,16 @@ describe Command::Runner::Backends::Backticks do
     Command::Runner::Backends::Backticks.should be_available
   end
 
+  its(:unsafe?) { should be_true }
+
   it "returns a message" do
-    value = subject.call("echo", "hello")
+    value = subject.call("echo", ["hello"])
     value.should be_instance_of Command::Runner::Message
     value.should be_executed
   end
 
   it "gives the correct time" do
-    subject.call("sleep", "0.5").time.should be_within(0.1).of(0.5)
+    subject.call("sleep", ["0.5"]).time.should be_within(0.1).of(0.5)
   end
+
 end

data/spec/messenger_spec.rb

@@ -8,46 +8,58 @@ describe Command::Runner do
     Command::Runner.new(command, arguments)
   end
 
-  context "interpolating strings" do
+  context "when interpolating" do
     let(:command) { "echo" }
     let(:arguments) { "some {interpolation}" }
 
     it "interpolates correctly" do
-      subject.contents(:interpolation => "test").should == ["echo", "some test"]
+      expect(
+        subject.contents(:interpolation => "test")
+      ).to eq ["echo", ["some", "test"]]
     end
 
     it "escapes bad values" do
-      subject.contents(:interpolation => "`bad value`").should == ["echo", "some \\`bad\\ value\\`"]
+      expect(
+        subject.contents(:interpolation => "`bad value`")
+      ).to eq ["echo", ["some", "`bad value`"]]
     end
 
     it "doesn't interpolate interpolation values" do
-      subject.contents(:interpolation => "{other}", :other => "hi").should == ["echo", "some \\{other\\}"]
+      expect(
+        subject.contents(:interpolation => "{other}", :other => "hi")
+      ).to eq ["echo", ["some", "{other}"]]
     end
   end
 
-  context "double interpolated strings" do
+  context "when interpolating double strings" do
     let(:command) { "echo" }
     let(:arguments) { "some {{interpolation}}" }
 
     it "interpolates correctly" do
-      subject.contents(:interpolation => "test").should == ["echo", "some test"]
+      expect(
+        subject.contents(:interpolation => "test")
+      ).to eq ["echo", ["some", "test"]]
     end
 
     it "doesn't escape bad values" do
-      subject.contents(:interpolation => "`bad value`").should == ["echo", "some `bad value`"]
+      expect(
+        subject.contents(:interpolation => "`bad value`")
+      ).to eq ["echo", ["some", "`bad", "value`"]]
     end
   end
 
-  context "misinterpolated strings" do
+  context "when interpolating misinterpolated strings" do
     let(:command) { "echo" }
     let(:arguments) { "some {{interpolation}" }
 
     it "doesn't interpolate" do
-      subject.contents(:interpolation => "test").should == ["echo", "some {{interpolation}"]
+      expect(
+        subject.contents(:interpolation => "test")
+      ).to eq ["echo", ["some", "{{interpolation}"]]
     end
   end
 
-  context "selecting backends" do
+  context "when selecting backends" do
     it "selects the best backend" do
       Command::Runner::Backends::PosixSpawn.stub(:available?).and_return(false)
       Command::Runner::Backends::Spawn.stub(:available?).and_return(true)
@@ -56,9 +68,13 @@ describe Command::Runner do
       Command::Runner::Backends::PosixSpawn.stub(:available?).and_return(true)
       Command::Runner.best_backend.should be_instance_of Command::Runner::Backends::PosixSpawn
     end
+
+    it "takes into account unsafe backends" do
+      Command::Runner.best_backend(true).should be_unsafe
+    end
   end
 
-  context "bad commands" do
+  context "when given bad commands" do
     let(:command) { "some-non-existant-command" }
     let(:arguments) { "" }
 
@@ -69,12 +85,37 @@ describe Command::Runner do
     its(:pass) { should be_no_command }
 
     it "calls the block given" do
-      subject.backend = Command::Runner::Backends::Backticks.new
       subject.pass do |message|
-        message.should be_no_command
 
-        message.line.should == "some-non-existant-command "
+        expect(message.line).to eq "some-non-existant-command "
+      end
+    end
+  end
+
+  context "when passing commands" do
+    let(:command) { "echo" }
+    let(:arguments) { "{interpolation}" }
+
+    before :each do
+      subject.backend = Command::Runner::Backends::Backticks.new
+    end
+
+    it "escapes bad values" do
+      subject.pass(:interpolation => "`uname -a`") do |message|
+        expect(message.stdout).to eq "`uname -a`\n"
       end
     end
+
+    it "returns the last value in the block" do
+      expect(
+        subject.pass(:interpolation => "hi") { |m| m.stdout }
+      ).to eq "hi\n"
+    end
+
+    it "returns a message" do
+      expect(
+        subject.pass
+      ).to be_a Command::Runner::Message
+    end
   end
 end

data/spec/spawn_spec.rb

@@ -2,23 +2,31 @@ describe Command::Runner::Backends::Spawn do
 
   next unless Process.respond_to?(:spawn) && !(RUBY_PLATFORM == "java" && RUBY_VERSION =~ /\A1\.9/)
 
+  its(:unsafe?) { should be_false }
+
   it "is available" do
     Command::Runner::Backends::Spawn.should be_available
   end
 
   it "returns a message" do
-    value = subject.call("echo", "hello")
+    value = subject.call("echo", ["hello"])
     value.should be_instance_of Command::Runner::Message
     value.should be_executed
   end
 
   it "doesn't block" do
     start_time = Time.now
-    value = subject.call("sleep", "0.5")
+    value = subject.call("sleep", ["0.5"])
     end_time = Time.now
 
     (end_time - start_time).should be_within((1.0/100)).of(0)
-    value.time.should be_within((2.0/100)).of(0.5)
+    value.time.should be_within((3.0/100)).of(0.5)
+  end
+
+  it "doesn't expose arguments to the shell" do
+    value = subject.call("echo", ["`uname -a`"])
+
+    expect(value.stdout).to eq "`uname -a`\n"
   end
 
   it "can not be available" do
@@ -28,4 +36,5 @@ describe Command::Runner::Backends::Spawn do
       Command::Runner::Backends::Spawn.new
     }.to raise_error(Command::Runner::NotAvailableBackendError)
   end
+
 end

metadata

@@ -1,108 +1,99 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: command-runner
-version: !ruby/object:Gem::Version
-  version: 0.6.1
-  prerelease: 
+version: !ruby/object:Gem::Version 
+  version: 0.7.1
 platform: ruby
-authors:
+authors: 
 - Jeremy Rodi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-07 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2014-01-05 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: promise
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.3'
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.3'
-- !ruby/object:Gem::Dependency
+      - !ruby/object:Gem::Version 
+        version: "0.3"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - &id003 
+      - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: yard
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    requirements: 
+    - *id003
   type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: fuubar
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-description: ! "  Runs a command or two in the shell with arguments that can be\n
-  \ interpolated with the interpolation syntax.\n"
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    requirements: 
+    - *id003
+  type: :development
+  version_requirements: *id005
+description: "  Runs a command or two in the shell with arguments that can be\n  interpolated with the interpolation syntax.\n"
 email: redjazz96@gmail.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - README.md
-- lib/command/runner/version.rb
-- lib/command/runner/exceptions.rb
-- lib/command/runner/backends.rb
+- lib/command/runner.rb
 - lib/command/runner/message.rb
-- lib/command/runner/backends/fake.rb
-- lib/command/runner/backends/backticks.rb
-- lib/command/runner/backends/ssh.rb
 - lib/command/runner/backends/posix_spawn.rb
+- lib/command/runner/backends/ssh.rb
+- lib/command/runner/backends/backticks.rb
+- lib/command/runner/backends/fake.rb
 - lib/command/runner/backends/spawn.rb
-- lib/command/runner.rb
-- spec/messenger_spec.rb
+- lib/command/runner/exceptions.rb
+- lib/command/runner/backends.rb
+- lib/command/runner/version.rb
 - spec/spawn_spec.rb
+- spec/messenger_spec.rb
 - spec/backticks_spec.rb
 homepage: http://github.com/redjazz96/command-runner
 licenses: []
+
+metadata: {}
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - *id003
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - *id003
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.8.25
+rubygems_version: 2.0.14
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Runs commands.
 test_files: []
+
 has_rdoc: false