thor 0.19.4 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5fd71663b46487af27e6f0b6a0206f5140d0d196
-  data.tar.gz: d67e482d506417552648630f8a7bc4b1886fc06c
+SHA256:
+  metadata.gz: 30e79d2b0a96e87c8e6348467db577c6ad1e9acbbbac5d375417bc3e5a2b7698
+  data.tar.gz: 701f1ab842da90e599b96bd00d90481d716eb29e39e0283b5ff527c2033fc742
 SHA512:
-  metadata.gz: f15702a93adea15d623fd708962193b42bc38bf2b86dff66fe43f1078971fc38f5dedff0d6a78bd1bf9241315e83ede0c216ffedea8c452c55b57aff17d0d051
-  data.tar.gz: 1e7093648f0913e9c7e32c796ea795e819ca59331588885059bfcae9867172ea50144033c342d22c4d5c8ab628f135821bb9a0ab8645f7784c396482370b98c0
+  metadata.gz: 73b1ac80575d4422204cd8072950b5594739db3b6f3fde0f2f04359d51b1d4428524d25b9a3003ae9ec3f6be615cf635f3057bbc65558e6a17ba490ff045988b
+  data.tar.gz: eb7761a5e6f3674cb3231398145978b0eb53a6fa2c10e4cb9e99d8d523988efcefc8cae5dd163b8a3d6ead7424422d58b92311c200790ad6e2416e3f9757a90e

data/README.md

@@ -2,16 +2,8 @@ Thor
 ====
 
 [![Gem Version](http://img.shields.io/gem/v/thor.svg)][gem]
-[![Build Status](http://img.shields.io/travis/erikhuda/thor.svg)][travis]
-[![Dependency Status](http://img.shields.io/gemnasium/erikhuda/thor.svg)][gemnasium]
-[![Code Climate](http://img.shields.io/codeclimate/github/erikhuda/thor.svg)][codeclimate]
-[![Coverage Status](http://img.shields.io/coveralls/erikhuda/thor.svg)][coveralls]
 
 [gem]: https://rubygems.org/gems/thor
-[travis]: http://travis-ci.org/erikhuda/thor
-[gemnasium]: https://gemnasium.com/erikhuda/thor
-[codeclimate]: https://codeclimate.com/github/erikhuda/thor
-[coveralls]: https://coveralls.io/r/erikhuda/thor
 
 Description
 -----------
@@ -21,7 +13,13 @@ utilities.  It removes the pain of parsing command line options, writing
 build tool.  The syntax is Rake-like, so it should be familiar to most Rake
 users.
 
+Please note: Thor, by design, is a system tool created to allow seamless file and url
+access, which should not receive application user input. It relies on [open-uri][open-uri],
+which combined with application user input would provide a command injection attack
+vector.
+
 [rake]: https://github.com/ruby/rake
+[open-uri]: https://ruby-doc.org/stdlib-2.5.1/libdoc/open-uri/rdoc/index.html
 
 Installation
 ------------
@@ -31,7 +29,7 @@ Usage and documentation
 -----------------------
 Please see the [wiki][] for basic usage and other documentation on using Thor. You can also checkout the [official homepage][homepage].
 
-[wiki]: https://github.com/erikhuda/thor/wiki
+[wiki]: https://github.com/rails/thor/wiki
 [homepage]: http://whatisthor.com/
 
 Contributing

data/lib/thor/actions/create_file.rb

@@ -1,4 +1,4 @@
-require "thor/actions/empty_directory"
+require_relative "empty_directory"
 
 class Thor
   module Actions
@@ -58,6 +58,7 @@ class Thor
 
       def invoke!
         invoke_with_conflict_check do
+          require "fileutils"
           FileUtils.mkdir_p(File.dirname(destination))
           File.open(destination, "wb") { |f| f.write render }
         end

data/lib/thor/actions/create_link.rb

@@ -1,4 +1,4 @@
-require "thor/actions/create_file"
+require_relative "create_file"
 
 class Thor
   module Actions
@@ -33,11 +33,13 @@ class Thor
       # Boolean:: true if it is identical, false otherwise.
       #
       def identical?
-        exists? && File.identical?(render, destination)
+        source = File.expand_path(render, File.dirname(destination))
+        exists? && File.identical?(source, destination)
       end
 
       def invoke!
         invoke_with_conflict_check do
+          require "fileutils"
           FileUtils.mkdir_p(File.dirname(destination))
           # Create a symlink by default
           config[:symbolic] = true if config[:symbolic].nil?

data/lib/thor/actions/directory.rb

@@ -1,4 +1,4 @@
-require "thor/actions/empty_directory"
+require_relative "empty_directory"
 
 class Thor
   module Actions
@@ -56,7 +56,7 @@ class Thor
       attr_reader :source
 
       def initialize(base, source, destination = nil, config = {}, &block)
-        @source = File.expand_path(base.find_in_source_paths(source.to_s))
+        @source = File.expand_path(Dir[Util.escape_globs(base.find_in_source_paths(source.to_s))].first)
         @block  = block
         super(base, destination, {:recursive => true}.merge(config))
       end
@@ -96,22 +96,12 @@ class Thor
         end
       end
 
-      if RUBY_VERSION < "2.0"
-        def file_level_lookup(previous_lookup)
-          File.join(previous_lookup, "{*,.[a-z]*}")
-        end
-
-        def files(lookup)
-          Dir[lookup]
-        end
-      else
-        def file_level_lookup(previous_lookup)
-          File.join(previous_lookup, "*")
-        end
+      def file_level_lookup(previous_lookup)
+        File.join(previous_lookup, "*")
+      end
 
-        def files(lookup)
-          Dir.glob(lookup, File::FNM_DOTMATCH)
-        end
+      def files(lookup)
+        Dir.glob(lookup, File::FNM_DOTMATCH)
       end
     end
   end

data/lib/thor/actions/empty_directory.rb

@@ -48,12 +48,14 @@ class Thor
 
       def invoke!
         invoke_with_conflict_check do
+          require "fileutils"
           ::FileUtils.mkdir_p(destination)
         end
       end
 
       def revoke!
         say_status :remove, :red
+        require "fileutils"
         ::FileUtils.rm_rf(destination) if !pretend? && exists?
         given_destination
       end
@@ -112,11 +114,17 @@ class Thor
         if exists?
           on_conflict_behavior(&block)
         else
-          say_status :create, :green
           yield unless pretend?
+          say_status :create, :green
         end
 
         destination
+      rescue Errno::EISDIR, Errno::EEXIST
+        on_file_clash_behavior
+      end
+
+      def on_file_clash_behavior
+        say_status :file_clash, :red
       end
 
       # What to do when the destination file already exists.

data/lib/thor/actions/file_manipulation.rb

@@ -1,5 +1,4 @@
 require "erb"
-require "open-uri"
 
 class Thor
   module Actions
@@ -24,14 +23,14 @@ class Thor
       destination = args.first || source
       source = File.expand_path(find_in_source_paths(source.to_s))
 
-      create_file destination, nil, config do
+      resulting_destination = create_file destination, nil, config do
         content = File.binread(source)
         content = yield(content) if block
         content
       end
       if config[:mode] == :preserve
         mode = File.stat(source).mode
-        chmod(destination, mode, config)
+        chmod(resulting_destination, mode, config)
       end
     end
 
@@ -61,6 +60,9 @@ class Thor
     # destination. If a block is given instead of destination, the content of
     # the url is yielded and used as location.
     #
+    # +get+ relies on open-uri, so passing application user input would provide
+    # a command injection attack vector.
+    #
     # ==== Parameters
     # source<String>:: the address of the given content.
     # destination<String>:: the relative path to the destination root.
@@ -78,8 +80,13 @@ class Thor
       config = args.last.is_a?(Hash) ? args.pop : {}
       destination = args.first
 
-      source = File.expand_path(find_in_source_paths(source.to_s)) unless source =~ %r{^https?\://}
-      render = open(source) { |input| input.binmode.read }
+      render = if source =~ %r{^https?\://}
+        require "open-uri"
+        URI.send(:open, source) { |input| input.binmode.read }
+      else
+        source = File.expand_path(find_in_source_paths(source.to_s))
+        open(source) { |input| input.binmode.read }
+      end
 
       destination ||= if block_given?
         block.arity == 1 ? yield(render) : yield
@@ -113,7 +120,15 @@ class Thor
       context = config.delete(:context) || instance_eval("binding")
 
       create_file destination, nil, config do
-        content = CapturableERB.new(::File.binread(source), nil, "-", "@output_buffer").result(context)
+        match = ERB.version.match(/(\d+\.\d+\.\d+)/)
+        capturable_erb = if match && match[1] >= "2.2.0" # Ruby 2.6+
+          CapturableERB.new(::File.binread(source), :trim_mode => "-", :eoutvar => "@output_buffer")
+        else
+          CapturableERB.new(::File.binread(source), nil, "-", "@output_buffer")
+        end
+        content = capturable_erb.tap do |erb|
+          erb.filename = source
+        end.result(context)
         content = yield(content) if block
         content
       end
@@ -134,7 +149,10 @@ class Thor
       return unless behavior == :invoke
       path = File.expand_path(path, destination_root)
       say_status :chmod, relative_to_original_destination_root(path), config.fetch(:verbose, true)
-      FileUtils.chmod_R(mode, path) unless options[:pretend]
+      unless options[:pretend]
+        require "fileutils"
+        FileUtils.chmod_R(mode, path)
+      end
     end
 
     # Prepend text to a file. Since it depends on insert_into_file, it's reversible.
@@ -192,9 +210,9 @@ class Thor
     #
     # ==== Examples
     #
-    #   inject_into_class "app/controllers/application_controller.rb", ApplicationController, "  filter_parameter :password\n"
+    #   inject_into_class "app/controllers/application_controller.rb", "ApplicationController", "  filter_parameter :password\n"
     #
-    #   inject_into_class "app/controllers/application_controller.rb", ApplicationController do
+    #   inject_into_class "app/controllers/application_controller.rb", "ApplicationController" do
     #     "  filter_parameter :password\n"
     #   end
     #
@@ -204,13 +222,37 @@ class Thor
       insert_into_file(path, *(args << config), &block)
     end
 
+    # Injects text right after the module definition. Since it depends on
+    # insert_into_file, it's reversible.
+    #
+    # ==== Parameters
+    # path<String>:: path of the file to be changed
+    # module_name<String|Class>:: the module to be manipulated
+    # data<String>:: the data to append to the class, can be also given as a block.
+    # config<Hash>:: give :verbose => false to not log the status.
+    #
+    # ==== Examples
+    #
+    #   inject_into_module "app/helpers/application_helper.rb", "ApplicationHelper", "  def help; 'help'; end\n"
+    #
+    #   inject_into_module "app/helpers/application_helper.rb", "ApplicationHelper" do
+    #     "  def help; 'help'; end\n"
+    #   end
+    #
+    def inject_into_module(path, module_name, *args, &block)
+      config = args.last.is_a?(Hash) ? args.pop : {}
+      config[:after] = /module #{module_name}\n|module #{module_name} .*\n/
+      insert_into_file(path, *(args << config), &block)
+    end
+
     # Run a regular expression replacement on a file.
     #
     # ==== Parameters
     # path<String>:: path of the file to be changed
     # flag<Regexp|String>:: the regexp or string to be replaced
     # replacement<String>:: the replacement, can be also given as a block
-    # config<Hash>:: give :verbose => false to not log the status.
+    # config<Hash>:: give :verbose => false to not log the status, and
+    #                :force => true, to force the replacement regardles of runner behavior.
     #
     # ==== Example
     #
@@ -221,9 +263,10 @@ class Thor
     #   end
     #
     def gsub_file(path, flag, *args, &block)
-      return unless behavior == :invoke
       config = args.last.is_a?(Hash) ? args.pop : {}
 
+      return unless behavior == :invoke || config.fetch(:force, false)
+
       path = File.expand_path(path, destination_root)
       say_status :gsub, relative_to_original_destination_root(path), config.fetch(:verbose, true)
 
@@ -269,7 +312,7 @@ class Thor
     def comment_lines(path, flag, *args)
       flag = flag.respond_to?(:source) ? flag.source : flag
 
-      gsub_file(path, /^(\s*)([^#|\n]*#{flag})/, '\1# \2', *args)
+      gsub_file(path, /^(\s*)([^#\n]*#{flag})/, '\1# \2', *args)
     end
 
     # Removes a file at the given location.
@@ -288,7 +331,10 @@ class Thor
       path = File.expand_path(path, destination_root)
 
       say_status :remove, relative_to_original_destination_root(path), config.fetch(:verbose, true)
-      ::FileUtils.rm_rf(path) if !options[:pretend] && File.exist?(path)
+      if !options[:pretend] && (File.exist?(path) || File.symlink?(path))
+        require "fileutils"
+        ::FileUtils.rm_rf(path)
+      end
     end
     alias_method :remove_dir, :remove_file
 
@@ -305,8 +351,10 @@ class Thor
       with_output_buffer { yield(*args) }
     end
 
-    def with_output_buffer(buf = "") #:nodoc:
-      self.output_buffer, old_buffer = buf, output_buffer
+    def with_output_buffer(buf = "".dup) #:nodoc:
+      raise ArgumentError, "Buffer can not be a frozen object" if buf.frozen?
+      old_buffer = output_buffer
+      self.output_buffer = buf
       yield
       output_buffer
     ensure
@@ -319,7 +367,7 @@ class Thor
       def set_eoutvar(compiler, eoutvar = "_erbout")
         compiler.put_cmd = "#{eoutvar}.concat"
         compiler.insert_cmd = "#{eoutvar}.concat"
-        compiler.pre_cmd = ["#{eoutvar} = ''"]
+        compiler.pre_cmd = ["#{eoutvar} = ''.dup"]
         compiler.post_cmd = [eoutvar]
       end
     end

data/lib/thor/actions/inject_into_file.rb

@@ -1,4 +1,4 @@
-require "thor/actions/empty_directory"
+require_relative "empty_directory"
 
 class Thor
   module Actions
@@ -21,9 +21,14 @@ class Thor
     #     gems.split(" ").map{ |gem| "  config.gem :#{gem}" }.join("\n")
     #   end
     #
+    WARNINGS = { unchanged_no_flag: 'File unchanged! The supplied flag value not found!' }
+
     def insert_into_file(destination, *args, &block)
       data = block_given? ? block : args.shift
-      config = args.shift
+
+      config = args.shift || {}
+      config[:after] = /\z/ unless config.key?(:before) || config.key?(:after)
+
       action InjectIntoFile.new(self, destination, data, config)
     end
     alias_method :inject_into_file, :insert_into_file
@@ -45,15 +50,23 @@ class Thor
       end
 
       def invoke!
-        say_status :invoke
-
         content = if @behavior == :after
           '\0' + replacement
         else
           replacement + '\0'
         end
 
-        replace!(/#{flag}/, content, config[:force])
+        if exists?
+          if replace!(/#{flag}/, content, config[:force])
+            say_status(:invoke)
+          else
+            say_status(:unchanged, warning: WARNINGS[:unchanged_no_flag], color: :red)
+          end
+        else
+          unless pretend?
+            raise Thor::Error, "The file #{ destination } does not appear to exist"
+          end
+        end
       end
 
       def revoke!
@@ -72,7 +85,7 @@ class Thor
 
     protected
 
-      def say_status(behavior)
+      def say_status(behavior, warning: nil, color: nil)
         status = if behavior == :invoke
           if flag == /\A/
             :prepend
@@ -81,21 +94,24 @@ class Thor
           else
             :insert
           end
+        elsif warning
+          warning
         else
           :subtract
         end
 
-        super(status, config[:verbose])
+        super(status, (color || config[:verbose]))
       end
 
       # Adds the content to the file.
       #
       def replace!(regexp, string, force)
-        return if base.options[:pretend]
-        content = File.binread(destination)
+        content = File.read(destination)
         if force || !content.include?(replacement)
-          content.gsub!(regexp, string)
-          File.open(destination, "wb") { |file| file.write(content) }
+          success = content.gsub!(regexp, string)
+
+          File.open(destination, "wb") { |file| file.write(content) } unless pretend?
+          success
         end
       end
     end

data/lib/thor/actions.rb

@@ -1,18 +1,16 @@
-require "fileutils"
-require "uri"
-require "thor/core_ext/io_binary_read"
-require "thor/actions/create_file"
-require "thor/actions/create_link"
-require "thor/actions/directory"
-require "thor/actions/empty_directory"
-require "thor/actions/file_manipulation"
-require "thor/actions/inject_into_file"
+require_relative "actions/create_file"
+require_relative "actions/create_link"
+require_relative "actions/directory"
+require_relative "actions/empty_directory"
+require_relative "actions/file_manipulation"
+require_relative "actions/inject_into_file"
 
 class Thor
   module Actions
     attr_accessor :behavior
 
     def self.included(base) #:nodoc:
+      super(base)
       base.extend ClassMethods
     end
 
@@ -114,8 +112,10 @@ class Thor
     # the script started).
     #
     def relative_to_original_destination_root(path, remove_dot = true)
-      path = path.dup
-      if path.gsub!(@destination_stack[0], ".")
+      root = @destination_stack[0]
+      if path.start_with?(root) && [File::SEPARATOR, File::ALT_SEPARATOR, nil, ''].include?(path[root.size..root.size])
+        path = path.dup
+        path[0...root.size] = '.'
         remove_dot ? (path[2..-1] || "") : path
       else
         path
@@ -141,7 +141,7 @@ class Thor
         end
       end
 
-      message = "Could not find #{file.inspect} in any of your source paths. "
+      message = "Could not find #{file.inspect} in any of your source paths. ".dup
 
       unless self.class.source_root
         message << "Please invoke #{self.class.name}.source_root(PATH) with the PATH containing your templates. "
@@ -161,6 +161,8 @@ class Thor
     # to the block you provide. The path is set back to the previous path when
     # the method exits.
     #
+    # Returns the value yielded by the block.
+    #
     # ==== Parameters
     # dir<String>:: the directory to move to.
     # config<Hash>:: give :verbose => true to log and use padding.
@@ -175,18 +177,22 @@ class Thor
 
       # If the directory doesnt exist and we're not pretending
       if !File.exist?(destination_root) && !pretend
+        require "fileutils"
         FileUtils.mkdir_p(destination_root)
       end
 
+      result = nil
       if pretend
         # In pretend mode, just yield down to the block
-        block.arity == 1 ? yield(destination_root) : yield
+        result = block.arity == 1 ? yield(destination_root) : yield
       else
-        FileUtils.cd(destination_root) { block.arity == 1 ? yield(destination_root) : yield }
+        require "fileutils"
+        FileUtils.cd(destination_root) { result = block.arity == 1 ? yield(destination_root) : yield }
       end
 
       @destination_stack.pop
       shell.padding -= 1 if verbose
+      result
     end
 
     # Goes to the root and execute the given block.
@@ -216,7 +222,8 @@ class Thor
       shell.padding += 1 if verbose
 
       contents = if is_uri
-        open(path, "Accept" => "application/x-thor-template", &:read)
+        require "open-uri"
+        URI.open(path, "Accept" => "application/x-thor-template", &:read)
       else
         open(path, &:read)
       end
@@ -251,7 +258,22 @@ class Thor
 
       say_status :run, desc, config.fetch(:verbose, true)
 
-      !options[:pretend] && config[:capture] ? `#{command}` : system(command.to_s)
+      return if options[:pretend]
+
+      env_splat = [config[:env]] if config[:env]
+
+      if config[:capture]
+        require "open3"
+        result, status = Open3.capture2e(*env_splat, command.to_s)
+        success = status.success?
+      else
+        result = system(*env_splat, command.to_s)
+        success = result
+      end
+
+      abort if !success && config.fetch(:abort_on_failure, self.class.exit_on_failure?)
+
+      result
     end
 
     # Executes a ruby script (taking into account WIN32 platform quirks).