safe_shell 1.0.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,22 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC
+tmp/*

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Envato, Ian Leitch, & Pete Yandell.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,54 @@
+= SafeShell
+
+SafeShell lets you execute shell commands and get the resulting output, but without the security problems of Ruby's backtick operator.
+
+== Usage
+
+    gem install safe_shell
+
+    require 'safe_shell'
+    SafeShell.execute("echo", "Hello, world!")
+
+SafeShell sets the $? operator to the process status, in the same manner as the backtick operator.
+
+    # Send stdout and stderr to files:
+    SafeShell.execute("echo", "Hello, world!", :stdout => "output.txt", :stderr => "error.txt")
+
+    # Return true if the command exits with a zero status:
+    SafeShell.execute?("echo", "Hello, world!")
+
+== Why?
+
+If you use backticks to process a file supplied by a user, a carefully crafted filename could allow execution of an arbitrary command:
+
+    file = ";blah"
+    `echo #{file}`
+    sh: blah: command not found
+    => "\n"
+
+SafeShell solves this.
+
+    SafeShell.execute("echo", file)
+    => ";blah\n"
+
+== Compatibility
+
+Tested with Ruby 1.8.7, but it should be happy on pretty much any Ruby version. Maybe not so much on Windows.
+
+== Developing
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Status
+
+In use on at least one big site, so should be pretty solid. There's not much to it, so I'm not expecting there'll be many releases.
+
+== Copyright
+
+Copyright (c) 2010 Envato, Ian Leitch, & Pete Yandell. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,45 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "safe_shell"
+    gem.summary = %Q{Safely execute shell commands and get their output.}
+    gem.description = %Q{Execute shell commands and get the resulting output, but without the security problems of Ruby’s backtick operator.}
+    gem.email = "pete@notahat.com"
+    gem.homepage = "http://github.com/envato/safe_shell"
+    gem.authors = ["Envato", "Ian Leitch", "Pete Yandell"]
+    gem.add_development_dependency "rspec", ">= 1.2.9"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "safe_shell #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+1.0.0

data/lib/safe_shell.rb

@@ -0,0 +1,24 @@
+module SafeShell
+  def self.execute(command, *args)
+    opts = args.last.kind_of?(Hash) ? args.pop : {}
+    read_end, write_end = IO.pipe
+    new_stdout = opts[:stdout] ? File.open(opts[:stdout], "w+") : write_end
+    new_stderr = opts[:stderr] ? File.open(opts[:stderr], "w+") : write_end
+    pid = fork do
+      read_end.close
+      STDOUT.reopen(new_stdout)
+      STDERR.reopen(new_stderr)
+      exec(command, *args)
+    end
+    write_end.close
+    output = read_end.read
+    Process.waitpid(pid)
+    read_end.close
+    output
+  end
+
+  def self.execute?(*args)
+    execute(*args)
+    $?.success?
+  end
+end

data/spec/safe_shell_spec.rb

@@ -0,0 +1,39 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "SafeShell" do
+
+  it "should return the output of the command" do
+    SafeShell.execute("echo", "Hello, world!").should == "Hello, world!\n"
+  end
+
+  it "should safely handle dangerous characters in command arguments" do
+    SafeShell.execute("echo", ";date").should == ";date\n"
+  end
+
+  it "should set $? to the exit status of the command" do
+    SafeShell.execute("test", "a", "=", "a")
+    $?.exitstatus.should == 0
+
+    SafeShell.execute("test", "a", "=", "b")
+    $?.exitstatus.should == 1
+  end
+
+  context "output redirection" do
+    before do
+      File.delete("tmp/output.txt") if File.exists?("tmp/output.txt")
+    end
+
+    it "should let you redirect stdout to a file" do
+      SafeShell.execute("echo", "Hello, world!", :stdout => "tmp/output.txt")
+      File.exists?("tmp/output.txt").should be_true
+      File.read("tmp/output.txt").should == "Hello, world!\n"
+    end
+
+    it "should let you redirect stderr to a file" do
+      SafeShell.execute("cat", "tmp/nonexistent-file", :stderr => "tmp/output.txt")
+      File.exists?("tmp/output.txt").should be_true
+      File.read("tmp/output.txt").should == "cat: tmp/nonexistent-file: No such file or directory\n"
+    end
+  end
+
+end

data/spec/spec.opts

@@ -0,0 +1 @@
+--color

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'safe_shell'
+require 'spec'
+require 'spec/autorun'
+
+Spec::Runner.configure do |config|
+  
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification 
+name: safe_shell
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: false
+  segments: 
+  - 1
+  - 0
+  - 0
+  version: 1.0.0
+platform: ruby
+authors: 
+- Envato
+- Ian Leitch
+- Pete Yandell
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-11-08 00:00:00 +11:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 13
+        segments: 
+        - 1
+        - 2
+        - 9
+        version: 1.2.9
+  type: :development
+  version_requirements: *id001
+description: "Execute shell commands and get the resulting output, but without the security problems of Ruby\xE2\x80\x99s backtick operator."
+email: pete@notahat.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/safe_shell.rb
+- spec/safe_shell_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+- tmp/.gitkeep
+has_rdoc: true
+homepage: http://github.com/envato/safe_shell
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Safely execute shell commands and get their output.
+test_files: 
+- spec/safe_shell_spec.rb
+- spec/spec_helper.rb