command-runner 0.9.1 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7547604c52079e08e7fb9394e3ac7436332ca402
-  data.tar.gz: beaddb35df551eb3858a10fb3991e69d2963f8db
+  metadata.gz: 9b5636d13fb538ac969b67e6eb4fdc7ad5ddaa27
+  data.tar.gz: fa207be281ffb8b56279bbe7d50e76c1f52ef225
 SHA512:
-  metadata.gz: d4d2ae85fd767805cfa8d1d5c4ada39aae4ccb689d2d2ba150ba284f5336d016d1326fd9fc86011738dbdc95b13792ffb43210fa4f8c2cd918578598961e833b
-  data.tar.gz: 2d341ceec6a4f57732d88ab64be721842707435952eefce32da0fbf97855c0c0b0c977d247bc4f082b0a1d3a40a73e862f301b600279251895954ab4bb9036f0
+  metadata.gz: 037f29024cedc32f6b469288a2c7229f7d74d9035df02894b9b8685834f867eab990fc3c9f69a9ba305ae38eb33a7a141b284dbb46396603fde613083aaddaf3
+  data.tar.gz: 5804940205201d61ab9ff50164e75dc9e5b18c415d46a38747345b9a990e52c3d731f3e0754eb1f60253df69373cde1a514f9644f09605c6d34d7d61f6fbf3fc

data/README.md

@@ -1,5 +1,5 @@
 # Command Runner
-[![Build Status](https://travis-ci.org/redjazz96/command-runner.png?branch=master)](https://travis-ci.org/redjazz96/command-runner) [![Code Climate](https://codeclimate.com/github/redjazz96/command-runner.png)](https://codeclimate.com/github/redjazz96/command-runner)
+[![Build Status](https://travis-ci.org/medcat/command-runner.png?branch=master)](https://travis-ci.org/medcat/command-runner) [![Code Climate](https://codeclimate.com/github/medcat/command-runner.png)](https://codeclimate.com/github/medcat/command-runner)
 
 Runs commands.
 
@@ -46,7 +46,7 @@ It can also use different methods to run commands...
 
 ```Ruby
 line = Command::Runner.new("echo", "something")
-line.backends = Command::Runner::Backends::Spawn.new
+line.backend = Command::Runner::Backends::Spawn.new
 line.pass
 ```
 
@@ -80,7 +80,6 @@ It works on
 - 2.1.0
 - 2.0.0
 - 1.9.3
-- 1.8.7
 - JRuby (2.0 Mode)
 - JRuby (1.9 Mode)
 
@@ -88,5 +87,5 @@ It works on
 unless the travis build fails.
 
 
-[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/redjazz96/command-runner/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/medcat/command-runner/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
 

data/lib/command/runner/backends/backticks.rb

@@ -9,7 +9,7 @@ module Command
 
         # Returns whether or not this backend is avialable on this
         # platform.
-        def self.available?
+        def self.available?(_ = false)
           true
         end
 

data/lib/command/runner/backends/fake.rb

@@ -11,8 +11,10 @@ module Command
         # Returns whether or not this backend is avialable on this
         # platform.
         #
+        # @param force_unsafe [Boolean] if the backend needs to be
+        #   able to handle unsafe execution, then this will be true.
         # @abstract
-        def self.available?
+        def self.available?(force_unsafe = false)
           true
         end
 
@@ -27,6 +29,15 @@ module Command
           false
         end
 
+        # Whether or not it can handle unsafe execution.  This is in
+        # case the developer wants to force unsafe execution on a
+        # safe backend.
+        #
+        # @return [Boolean]
+        def self.unsafe_execution?
+          true
+        end
+
         # Initialize the fake backend.
         def initialize
           @ran = []

data/lib/command/runner/backends/posix_spawn.rb

@@ -13,10 +13,10 @@ module Command
         #
         # @see Fake.available?
         # @return [Boolean]
-        def self.available?
+        def self.available?(_ = false)
           @_available ||= begin
             require 'posix/spawn'
-            true
+            super
           rescue LoadError => e
             false
           end
@@ -27,7 +27,13 @@ module Command
         # @see Spawn#spawn
         # @return [Numeric]
         def spawn(env, command, arguments, options)
-          POSIX::Spawn.spawn(env, command, *[arguments, options].flatten)
+          if options.delete(:unsafe)
+            POSIX::Spawn.spawn(env,
+            "#{command} #{arguments.join(' ')}", options)
+          else
+            POSIX::Spawn.spawn(env, command,
+              *[arguments, options].flatten)
+          end
         end
 
       end

data/lib/command/runner/backends/spawn.rb

@@ -11,7 +11,7 @@ module Command
         # that platform.
         #
         # @return [Boolean]
-        def self.available?
+        def self.available?(_ = false)
           Process.respond_to?(:spawn) && !(RUBY_PLATFORM == "java" && RUBY_VERSION =~ /\A1\.9/)
         end
 
@@ -81,7 +81,11 @@ module Command
         # @see Process.spawn
         # @return [Numeric] the process id
         def spawn(env, command, arguments, options)
-          Process.spawn(env, command, *[arguments, options].flatten)
+          if options.delete(:unsafe)
+            Process.spawn(env, "#{command} #{arguments.join(' ')}", options)
+          else
+            Process.spawn(env, command, *arguments, options)
+          end
         end
 
         # Waits for the given process, and returns the process id and the

data/lib/command/runner/backends/ssh.rb

@@ -10,10 +10,14 @@ module Command
       class SSH < Fake
 
         # (see Fake.available?)
-        def self.available?
+        def self.available?(force_unsafe = false)
           begin
             require 'net/ssh'
-            true
+            if force_unsafe
+              false
+            else
+              true
+            end
           rescue LoadError
             false
           end
@@ -23,6 +27,10 @@ module Command
           true
         end
 
+        def self.unsafe_execution?
+          false
+        end
+
         # Initializes the backend.
         #
         # @param host [String] the host to connect to.
@@ -41,7 +49,7 @@ module Command
 
 
             ch.exec "#{command} " \
-              "#{arguments.join(" ").shellescape}" do |sch, success|
+              "#{arguments.join(" ")}" do |sch, success|
               raise Errno::ENOENT unless success
 
               env.each do |k, v|

data/lib/command/runner/backends/unsafe_fake.rb

@@ -0,0 +1,19 @@
+module Command
+  class Runner
+    module Backends
+      class UnsafeFake < Fake
+
+        # A backend is considered unsafe when the arguments are
+        # exposed directly to the shell.  This is a vulnerability, so
+        # we mark the class as unsafe and when we're about to pass
+        # the arguments to the backend, escape the safe
+        # interpolations.
+        #
+        # @return [Boolean]
+        def self.unsafe?
+          true
+        end
+      end
+    end
+  end
+end

data/lib/command/runner/backends.rb

@@ -11,6 +11,7 @@ module Command
       autoload :Spawn, "command/runner/backends/spawn"
       autoload :Backticks, "command/runner/backends/backticks"
       autoload :PosixSpawn, "command/runner/backends/posix_spawn"
+      autoload :UnsafeFake, "command/runner/backends/unsafe_fake"
 
     end
 

data/lib/command/runner/version.rb

@@ -3,7 +3,7 @@ module Command
   class Runner
 
     # The current version of Runner.
-    VERSION = "0.9.1".freeze
+    VERSION = "0.9.2".freeze
 
   end
 end

data/lib/command/runner.rb

@@ -1,5 +1,6 @@
 require 'shellwords'
 require 'future'
+require 'hashie'
 
 require 'command/runner/version'
 require 'command/runner/message'
@@ -24,11 +25,11 @@ module Command
       #
       # @return [#call] a backend to use.
       def best_backend(force_unsafe = false)
-        if Backends::PosixSpawn.available? && !force_unsafe
+        if Backends::PosixSpawn.available?(force_unsafe)
           Backends::PosixSpawn.new
-        elsif Backends::Spawn.available? && !force_unsafe
+        elsif Backends::Spawn.available?(force_unsafe)
           Backends::Spawn.new
-        elsif Backends::Backticks.available?
+        elsif Backends::Backticks.available?(force_unsafe)
           Backends::Backticks.new
         else
           Backends::Fake.new
@@ -98,7 +99,9 @@ module Command
     # @return [Message, Object] message if no block was given, the
     #   return value of the block otherwise.
     def pass!(interops = {}, options = {}, &block)
-      backend.call(*[contents(interops), options.delete(:env) || {}, options].flatten(1), &block)
+      options[:unsafe] = @unsafe
+      env = options.delete(:env) || {}
+      backend.call(*contents(interops), env, options, &block)
 
     rescue Errno::ENOENT
       raise NoCommandError, @command
@@ -135,7 +138,7 @@ module Command
     #
     # @return [void]
     def force_unsafe!
-      @backend = self.class.best_backend(true)
+      @unsafe = true
     end
 
     # The command line being run by the runner. Interpolates the
@@ -159,24 +162,35 @@ module Command
     # @param interops [Hash] the interpolations to make.
     # @return [Array<String>] the interpolated string.
     def interpolate(string, interops = {})
-      interops = interops.to_a.map { |(k, v)| { k.to_s => v } }.inject(&:merge) || {}
-      results = [*string.shellsplit]
-
-      results.map do |part|
-        if part =~ /(\{{1,2})([0-9a-zA-Z_\-]+)(\}{1,2})/
-          if interops.key?($2) && $1.length == $3.length
-            if $1.length == 1
-              escape interops[$2].to_s
+      interops = Hashie::Mash.new(interops)
+      args = string.shellsplit
+
+      args.map do |arg|
+        arg.gsub(/(\{{1,2})([0-9a-zA-Z_\-.]+)(\}{1,2})/) do |m|
+          if $1.length != $3.length
+            next m
+          end
+
+          ops = interops
+          parts = $2.split('.')
+          parts.each do |part|
+            if ops.key?(part)
+              ops = ops[part]
             else
-              interops[$2].to_s.shellsplit
+              ops = nil
+              break
             end
+          end
+
+          if ops == nil
+            m
+          elsif $1.length == 1
+            escape(ops)
           else
-            part
+            ops
           end
-        else
-          part
         end
-      end.flatten
+      end
     end
 
     private
@@ -187,7 +201,7 @@ module Command
     # @param string [String] the string to escape.
     # @return [String] the escaped string.
     def escape(string)
-      if backend.unsafe?
+      if backend.unsafe? || @unsafe
         Shellwords.escape(string)
       else
         string

data/spec/backticks_spec.rb

@@ -1,19 +1,19 @@
 describe Command::Runner::Backends::Backticks do
 
   it "is available" do
-    Command::Runner::Backends::Backticks.should be_available
+    expect(Command::Runner::Backends::Backticks).to be_available
   end
 
-  its(:unsafe?) { should be_true }
+  it("is unsafe") { expect(described_class).to be_unsafe }
 
   it "returns a message" do
     value = subject.call("echo", ["hello"])
-    value.should be_instance_of Command::Runner::Message
-    value.should be_executed
+    expect(value).to be_instance_of Command::Runner::Message
+    expect(value).to be_executed
   end
 
   it "gives the correct time" do
-    subject.call("sleep", ["0.5"]).time.should be_within(0.1).of(0.5)
+    expect(subject.call("sleep", ["0.5"]).time).to be_within(0.1).of(0.5)
   end
 
 end

data/spec/interpolation_spec.rb

@@ -0,0 +1,19 @@
+describe Command::Runner do
+
+  before :each do
+    Command::Runner.backend = Command::Runner::Backends::Fake.new
+  end
+
+  subject { Command::Runner.new("gcc", "{env.flags} -o {output} {input} -l{lib}") }
+  let(:data) do
+    { env: { flags: "-g3" },
+      output: "test",
+      input: "test.c",
+      lib: "m" }
+  end
+
+  it "interpolates correctly" do
+    value = subject.contents(data).last
+    expect(value).to eq ["-g3", "-o", "test", "test.c", "-lm"]
+  end
+end

data/spec/messenger_spec.rb

@@ -1,7 +1,7 @@
 describe Command::Runner do
 
   before :each do
-    Command::Runner.backend = Command::Runner::Backends::Fake.new
+    Command::Runner.backend = Command::Runner::Backends::UnsafeFake.new
   end
 
   subject do
@@ -21,13 +21,13 @@ describe Command::Runner do
     it "escapes bad values" do
       expect(
         subject.contents(:interpolation => "`bad value`")
-      ).to eq ["echo", ["some", "`bad value`"]]
+      ).to eq ["echo", ["some", "\\`bad\\ value\\`"]]
     end
 
     it "doesn't interpolate interpolation values" do
       expect(
         subject.contents(:interpolation => "{other}", :other => "hi")
-      ).to eq ["echo", ["some", "{other}"]]
+      ).to eq ["echo", ["some", "\\{other\\}"]]
     end
   end
 
@@ -44,7 +44,7 @@ describe Command::Runner do
     it "doesn't escape bad values" do
       expect(
         subject.contents(:interpolation => "`bad value`")
-      ).to eq ["echo", ["some", "`bad", "value`"]]
+      ).to eq ["echo", ["some", "`bad value`"]]
     end
   end
 
@@ -61,16 +61,17 @@ describe Command::Runner do
 
   context "when selecting backends" do
     it "selects the best backend" do
-      Command::Runner::Backends::PosixSpawn.stub(:available?).and_return(false)
-      Command::Runner::Backends::Spawn.stub(:available?).and_return(true)
-      Command::Runner.best_backend.should be_instance_of Command::Runner::Backends::Spawn
-
-      Command::Runner::Backends::PosixSpawn.stub(:available?).and_return(true)
-      Command::Runner.best_backend.should be_instance_of Command::Runner::Backends::PosixSpawn
-    end
-
-    it "takes into account unsafe backends" do
-      Command::Runner.best_backend(true).should be_unsafe
+      allow(Command::Runner::Backends::PosixSpawn).
+        to receive(:available?).and_return(false)
+      allow(Command::Runner::Backends::Spawn).
+        to receive(:available?).and_return(true)
+      expect(Command::Runner.best_backend).
+        to be_instance_of Command::Runner::Backends::Spawn
+
+      allow(Command::Runner::Backends::PosixSpawn).
+        to receive(:available?).and_return(true)
+      expect(Command::Runner.best_backend).
+        to be_instance_of Command::Runner::Backends::PosixSpawn
     end
   end
 
@@ -82,7 +83,9 @@ describe Command::Runner do
       subject.backend = Command::Runner::Backends::Backticks.new
     end
 
-    its(:pass) { should be_no_command }
+    it "should result in no command" do
+      expect(subject.pass).to be_no_command
+    end
 
     it "calls the block given" do
       subject.pass do |message|

data/spec/spawn_spec.rb

@@ -2,16 +2,16 @@ describe Command::Runner::Backends::Spawn do
 
   next unless Process.respond_to?(:spawn) && !(RUBY_PLATFORM == "java" && RUBY_VERSION =~ /\A1\.9/)
 
-  its(:unsafe?) { should be_false }
+  it("is safe") { expect(described_class).to_not be_unsafe }
 
   it "is available" do
-    Command::Runner::Backends::Spawn.should be_available
+    expect(Command::Runner::Backends::Spawn).to be_available
   end
 
   it "returns a message" do
     value = subject.call("echo", ["hello"])
-    value.should be_instance_of Command::Runner::Message
-    value.should be_executed
+    expect(value).to be_instance_of Command::Runner::Message
+    expect(value).to be_executed
   end
 
   it "doesn't block" do
@@ -19,8 +19,8 @@ describe Command::Runner::Backends::Spawn do
     value = subject.call("sleep", ["0.5"])
     end_time = Time.now
 
-    (end_time - start_time).should be_within((1.0/100)).of(0)
-    value.time.should be_within((3.0/100)).of(0.5)
+    expect(end_time - start_time).to be_within((1.0/100)).of(0)
+    expect(value.time).to be_within((3.0/100)).of(0.5)
   end
 
   it "doesn't expose arguments to the shell" do
@@ -29,8 +29,14 @@ describe Command::Runner::Backends::Spawn do
     expect(value.stdout).to eq "`uname -a`\n"
   end
 
+  it "can be unsafe" do
+    value = subject.call("echo", ["`uname -a`"], {}, unsafe: true)
+
+    expect(value.stdout).to_not eq "`uname -a`\n"
+  end
+
   it "can not be available" do
-    Command::Runner::Backends::Spawn.stub(:available?).and_return(false)
+    allow(Command::Runner::Backends::Spawn).to receive(:available?).and_return(false)
 
     expect {
       Command::Runner::Backends::Spawn.new

data/spec/spec_helper.rb

@@ -0,0 +1,4 @@
+RSpec.configure do |config|
+  config.raise_errors_for_deprecations!
+  config.order = 'random'
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: command-runner
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors:
 - Jeremy Rodi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-15 00:00:00.000000000 Z
+date: 2014-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: promise
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: hashie
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -83,13 +97,16 @@ files:
 - lib/command/runner/backends/posix_spawn.rb
 - lib/command/runner/backends/spawn.rb
 - lib/command/runner/backends/ssh.rb
+- lib/command/runner/backends/unsafe_fake.rb
 - lib/command/runner/exceptions.rb
 - lib/command/runner/message.rb
 - lib/command/runner/version.rb
 - spec/backticks_spec.rb
+- spec/interpolation_spec.rb
 - spec/messenger_spec.rb
 - spec/spawn_spec.rb
-homepage: http://github.com/redjazz96/command-runner
+- spec/spec_helper.rb
+homepage: http://github.com/medcat/command-runner
 licenses:
 - MIT
 metadata: {}