Merge pull request from GHSA-h5h8-pc6h-jvvx

Seldaek · web-flow · commit 083b73515d1d · 2021-04-27T13:00:40.000+02:00
* Fix external process calls to avoid user input being able to pass extra parameters

* Tweak some fixes
diff --git a/src/Composer/Downloader/FossilDownloader.php b/src/Composer/Downloader/FossilDownloader.php
@@ -32,15 +32,15 @@ public function doDownload(PackageInterface $package, $path, $url)
         $ref = ProcessExecutor::escape($package->getSourceReference());
         $repoFile = $path . '.fossil';
         $this->io->writeError("Cloning ".$package->getSourceReference());
-        $command = sprintf('fossil clone %s %s', $url, ProcessExecutor::escape($repoFile));
+        $command = sprintf('fossil clone -- %s %s', $url, ProcessExecutor::escape($repoFile));
         if (0 !== $this->process->execute($command, $ignoredOutput)) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
-        $command = sprintf('fossil open %s --nested', ProcessExecutor::escape($repoFile));
+        $command = sprintf('fossil open --nested -- %s', ProcessExecutor::escape($repoFile));
         if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
-        $command = sprintf('fossil update %s', $ref);
+        $command = sprintf('fossil update -- %s', $ref);
         if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
diff --git a/src/Composer/Downloader/GitDownloader.php b/src/Composer/Downloader/GitDownloader.php
@@ -51,7 +51,7 @@ public function doDownload(PackageInterface $package, $path, $url)
         $gitVersion = GitUtil::getVersion($this->process);
         $msg = "Cloning ".$this->getShortHash($ref);
 
-        $command = 'git clone --no-checkout %url% %path% && cd '.$flag.'%path% && git remote add composer %url% && git fetch composer && git remote set-url origin %sanitizedUrl% && git remote set-url composer %sanitizedUrl%';
+        $command = 'git clone --no-checkout -- %url% %path% && cd '.$flag.'%path% && git remote add composer -- %url% && git fetch composer && git remote set-url origin -- %sanitizedUrl% && git remote set-url composer -- %sanitizedUrl%';
         if ($gitVersion && version_compare($gitVersion, '2.3.0-rc0', '>=') && Cache::isUsable($cachePath)) {
             $this->io->writeError('', true, IOInterface::DEBUG);
             $this->io->writeError(sprintf('    Cloning to cache at %s', ProcessExecutor::escape($cachePath)), true, IOInterface::DEBUG);
@@ -63,7 +63,7 @@ public function doDownload(PackageInterface $package, $path, $url)
                     $command =
                         'git clone --no-checkout %cachePath% %path% --dissociate --reference %cachePath% '
                         . '&& cd '.$flag.'%path% '
-                        . '&& git remote set-url origin %sanitizedUrl% && git remote add composer %sanitizedUrl%';
+                        . '&& git remote set-url origin -- %sanitizedUrl% && git remote add composer -- %sanitizedUrl%';
                     $msg = "Cloning ".$this->getShortHash($ref).' from cache';
                 }
             } catch (\RuntimeException $e) {
@@ -125,7 +125,7 @@ public function doUpdate(PackageInterface $initial, PackageInterface $target, $p
 
         $ref = $target->getSourceReference();
         $this->io->writeError(" Checking out ".$this->getShortHash($ref));
-        $command = '(git remote set-url composer %s && git rev-parse --quiet --verify %s || (git fetch composer && git fetch --tags composer)) && git remote set-url composer %s';
+        $command = '(git remote set-url composer -- %s && git rev-parse --quiet --verify %s || (git fetch composer && git fetch --tags composer)) && git remote set-url composer -- %s';
 
         $commandCallable = function ($url) use ($command, $ref) {
             return sprintf(
@@ -411,7 +411,7 @@ protected function updateToCommit($path, $reference, $branch, $date)
 
     protected function updateOriginUrl($path, $url)
     {
-        $this->process->execute(sprintf('git remote set-url origin %s', ProcessExecutor::escape($url)), $output, $path);
+        $this->process->execute(sprintf('git remote set-url origin -- %s', ProcessExecutor::escape($url)), $output, $path);
         $this->setPushUrl($path, $url);
     }
 
@@ -424,7 +424,7 @@ protected function setPushUrl($path, $url)
             if (!in_array('ssh', $protocols, true)) {
                 $pushUrl = 'https://' . $match[1] . '/'.$match[2].'/'.$match[3].'.git';
             }
-            $cmd = sprintf('git remote set-url --push origin %s', ProcessExecutor::escape($pushUrl));
+            $cmd = sprintf('git remote set-url --push origin -- %s', ProcessExecutor::escape($pushUrl));
             $this->process->execute($cmd, $ignoredOutput, $path);
         }
     }
diff --git a/src/Composer/Downloader/GzipDownloader.php b/src/Composer/Downloader/GzipDownloader.php
@@ -42,7 +42,7 @@ protected function extract($file, $path)
 
         // Try to use gunzip on *nix
         if (!Platform::isWindows()) {
-            $command = 'gzip -cd ' . ProcessExecutor::escape($file) . ' > ' . ProcessExecutor::escape($targetFilepath);
+            $command = 'gzip -cd -- ' . ProcessExecutor::escape($file) . ' > ' . ProcessExecutor::escape($targetFilepath);
 
             if (0 === $this->process->execute($command, $ignoredOutput)) {
                 return;
diff --git a/src/Composer/Downloader/HgDownloader.php b/src/Composer/Downloader/HgDownloader.php
@@ -29,13 +29,13 @@ public function doDownload(PackageInterface $package, $path, $url)
         $hgUtils = new HgUtils($this->io, $this->config, $this->process);
 
         $cloneCommand = function ($url) use ($path) {
-            return sprintf('hg clone %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($path));
+            return sprintf('hg clone -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($path));
         };
 
         $hgUtils->runCommand($cloneCommand, $url, $path);
 
         $ref = ProcessExecutor::escape($package->getSourceReference());
-        $command = sprintf('hg up %s', $ref);
+        $command = sprintf('hg up -- %s', $ref);
         if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
@@ -56,7 +56,7 @@ public function doUpdate(PackageInterface $initial, PackageInterface $target, $p
         }
 
         $command = function ($url) use ($ref) {
-            return sprintf('hg pull %s && hg up %s', ProcessExecutor::escape($url), ProcessExecutor::escape($ref));
+            return sprintf('hg pull -- %s && hg up -- %s', ProcessExecutor::escape($url), ProcessExecutor::escape($ref));
         };
 
         $hgUtils->runCommand($command, $url, $path);
diff --git a/src/Composer/Downloader/RarDownloader.php b/src/Composer/Downloader/RarDownloader.php
@@ -45,7 +45,7 @@ protected function extract($file, $path)
 
         // Try to use unrar on *nix
         if (!Platform::isWindows()) {
-            $command = 'unrar x ' . ProcessExecutor::escape($file) . ' ' . ProcessExecutor::escape($path) . ' >/dev/null && chmod -R u+w ' . ProcessExecutor::escape($path);
+            $command = 'unrar x -- ' . ProcessExecutor::escape($file) . ' ' . ProcessExecutor::escape($path) . ' >/dev/null && chmod -R u+w ' . ProcessExecutor::escape($path);
 
             if (0 === $this->process->execute($command, $ignoredOutput)) {
                 return;
diff --git a/src/Composer/Downloader/SvnDownloader.php b/src/Composer/Downloader/SvnDownloader.php
@@ -172,7 +172,7 @@ protected function getCommitLogs($fromReference, $toReference, $path)
     {
         if (preg_match('{.*@(\d+)$}', $fromReference) && preg_match('{.*@(\d+)$}', $toReference)) {
             // retrieve the svn base url from the checkout folder
-            $command = sprintf('svn info --non-interactive --xml %s', ProcessExecutor::escape($path));
+            $command = sprintf('svn info --non-interactive --xml -- %s', ProcessExecutor::escape($path));
             if (0 !== $this->process->execute($command, $output, $path)) {
                 throw new \RuntimeException(
                     'Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput()
diff --git a/src/Composer/Repository/Vcs/FossilDriver.php b/src/Composer/Repository/Vcs/FossilDriver.php
@@ -95,13 +95,13 @@ protected function updateLocalRepo()
 
             $fs->ensureDirectoryExists($this->checkoutDir);
 
-            if (0 !== $this->process->execute(sprintf('fossil clone %s %s', ProcessExecutor::escape($this->url), ProcessExecutor::escape($this->repoFile)), $output)) {
+            if (0 !== $this->process->execute(sprintf('fossil clone -- %s %s', ProcessExecutor::escape($this->url), ProcessExecutor::escape($this->repoFile)), $output)) {
                 $output = $this->process->getErrorOutput();
 
                 throw new \RuntimeException('Failed to clone '.$this->url.' to repository ' . $this->repoFile . "\n\n" .$output);
             }
 
-            if (0 !== $this->process->execute(sprintf('fossil open %s --nested', ProcessExecutor::escape($this->repoFile)), $output, $this->checkoutDir)) {
+            if (0 !== $this->process->execute(sprintf('fossil open --nested -- %s', ProcessExecutor::escape($this->repoFile)), $output, $this->checkoutDir)) {
                 $output = $this->process->getErrorOutput();
 
                 throw new \RuntimeException('Failed to open repository '.$this->repoFile.' in ' . $this->checkoutDir . "\n\n" .$output);
@@ -150,7 +150,7 @@ public function getDist($identifier)
      */
     public function getFileContent($file, $identifier)
     {
-        $command = sprintf('fossil cat -r %s %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
+        $command = sprintf('fossil cat -r %s -- %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
         $this->process->execute($command, $content, $this->checkoutDir);
 
         if (!trim($content)) {
diff --git a/src/Composer/Repository/Vcs/GitDriver.php b/src/Composer/Repository/Vcs/GitDriver.php
@@ -227,7 +227,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f
 
         try {
             $gitUtil->runCommand(function ($url) {
-                return 'git ls-remote --heads ' . ProcessExecutor::escape($url);
+                return 'git ls-remote --heads -- ' . ProcessExecutor::escape($url);
             }, $url, sys_get_temp_dir());
         } catch (\RuntimeException $e) {
             return false;
diff --git a/src/Composer/Repository/Vcs/HgDriver.php b/src/Composer/Repository/Vcs/HgDriver.php
@@ -68,7 +68,7 @@ public function initialize()
 
                 $repoDir = $this->repoDir;
                 $command = function ($url) use ($repoDir) {
-                    return sprintf('hg clone --noupdate %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($repoDir));
+                    return sprintf('hg clone --noupdate -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($repoDir));
                 };
 
                 $hgUtils->runCommand($command, $this->url, null);
@@ -229,7 +229,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f
         }
 
         $processExecutor = new ProcessExecutor($io);
-        $exit = $processExecutor->execute(sprintf('hg identify %s', ProcessExecutor::escape($url)), $ignored);
+        $exit = $processExecutor->execute(sprintf('hg identify -- %s', ProcessExecutor::escape($url)), $ignored);
 
         return $exit === 0;
     }
diff --git a/src/Composer/Repository/Vcs/SvnDriver.php b/src/Composer/Repository/Vcs/SvnDriver.php
@@ -310,7 +310,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f
         $processExecutor = new ProcessExecutor($io);
 
         $exit = $processExecutor->execute(
-            "svn info --non-interactive ".ProcessExecutor::escape($url),
+            "svn info --non-interactive -- ".ProcessExecutor::escape($url),
             $ignoredOutput
         );
 
diff --git a/src/Composer/Util/Git.php b/src/Composer/Util/Git.php
@@ -254,7 +254,7 @@ public function syncMirror($url, $dir)
                 $commandCallable = function ($url) {
                     $sanitizedUrl = preg_replace('{://([^@]+?):(.+?)@}', '://', $url);
 
-                    return sprintf('git remote set-url origin %s && git remote update --prune origin && git remote set-url origin %s', ProcessExecutor::escape($url), ProcessExecutor::escape($sanitizedUrl));
+                    return sprintf('git remote set-url origin -- %s && git remote update --prune origin && git remote set-url origin -- %s', ProcessExecutor::escape($url), ProcessExecutor::escape($sanitizedUrl));
                 };
                 $this->runCommand($commandCallable, $url, $dir);
             } catch (\Exception $e) {
@@ -270,7 +270,7 @@ public function syncMirror($url, $dir)
         $this->filesystem->removeDirectory($dir);
 
         $commandCallable = function ($url) use ($dir) {
-            return sprintf('git clone --mirror %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($dir));
+            return sprintf('git clone --mirror -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($dir));
         };
 
         $this->runCommand($commandCallable, $url, $dir, true);
diff --git a/src/Composer/Util/Svn.php b/src/Composer/Util/Svn.php
@@ -224,7 +224,7 @@ protected function doAuthDance()
     protected function getCommand($cmd, $url, $path = null)
     {
         $cmd = sprintf(
-            '%s %s%s %s',
+            '%s %s%s -- %s',
             $cmd,
             '--non-interactive ',
             $this->getCredentialString(),
diff --git a/tests/Composer/Test/Downloader/FossilDownloaderTest.php b/tests/Composer/Test/Downloader/FossilDownloaderTest.php
@@ -70,19 +70,19 @@ public function testDownload()
             ->will($this->returnValue(array('http://fossil.kd2.org/kd2fw/')));
         $processExecutor = $this->getMockBuilder('Composer\Util\ProcessExecutor')->getMock();
 
-        $expectedFossilCommand = $this->getCmd('fossil clone \'http://fossil.kd2.org/kd2fw/\' \'repo.fossil\'');
+        $expectedFossilCommand = $this->getCmd('fossil clone -- \'http://fossil.kd2.org/kd2fw/\' \'repo.fossil\'');
         $processExecutor->expects($this->at(0))
             ->method('execute')
             ->with($this->equalTo($expectedFossilCommand))
             ->will($this->returnValue(0));
 
-        $expectedFossilCommand = $this->getCmd('fossil open \'repo.fossil\' --nested');
+        $expectedFossilCommand = $this->getCmd('fossil open --nested -- \'repo.fossil\'');
         $processExecutor->expects($this->at(1))
             ->method('execute')
             ->with($this->equalTo($expectedFossilCommand))
             ->will($this->returnValue(0));
 
-        $expectedFossilCommand = $this->getCmd('fossil update \'trunk\'');
+        $expectedFossilCommand = $this->getCmd('fossil update -- \'trunk\'');
         $processExecutor->expects($this->at(2))
             ->method('execute')
             ->with($this->equalTo($expectedFossilCommand))
diff --git a/tests/Composer/Test/Downloader/GitDownloaderTest.php b/tests/Composer/Test/Downloader/GitDownloaderTest.php
diff --git a/tests/Composer/Test/Downloader/HgDownloaderTest.php b/tests/Composer/Test/Downloader/HgDownloaderTest.php
diff --git a/tests/Composer/Test/Util/SvnTest.php b/tests/Composer/Test/Util/SvnTest.php

Original file line number	Diff line number	Diff line change
`@@ -32,15 +32,15 @@ public function doDownload(PackageInterface $package, $path, $url)`
`32`	`32`	`$ref = ProcessExecutor::escape($package->getSourceReference());`
`33`	`33`	`$repoFile = $path . '.fossil';`
`34`	`34`	`$this->io->writeError("Cloning ".$package->getSourceReference());`
`35`		`- $command = sprintf('fossil clone %s %s', $url, ProcessExecutor::escape($repoFile));`
	`35`	`+ $command = sprintf('fossil clone -- %s %s', $url, ProcessExecutor::escape($repoFile));`
`36`	`36`	`if (0 !== $this->process->execute($command, $ignoredOutput)) {`
`37`	`37`	`throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());`
`38`	`38`	`}`
`39`		`- $command = sprintf('fossil open %s --nested', ProcessExecutor::escape($repoFile));`
	`39`	`+ $command = sprintf('fossil open --nested -- %s', ProcessExecutor::escape($repoFile));`
`40`	`40`	`if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {`
`41`	`41`	`throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());`
`42`	`42`	`}`
`43`		`- $command = sprintf('fossil update %s', $ref);`
	`43`	`+ $command = sprintf('fossil update -- %s', $ref);`
`44`	`44`	`if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {`
`45`	`45`	`throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());`
`46`	`46`	`}`
Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,7 @@ protected function getCommitLogs($fromReference, $toReference, $path)`
`172`	`172`	`{`
`173`	`173`	`if (preg_match('{.@(\d+)$}', $fromReference) && preg_match('{.@(\d+)$}', $toReference)) {`
`174`	`174`	`// retrieve the svn base url from the checkout folder`
`175`		`- $command = sprintf('svn info --non-interactive --xml %s', ProcessExecutor::escape($path));`
	`175`	`+ $command = sprintf('svn info --non-interactive --xml -- %s', ProcessExecutor::escape($path));`
`176`	`176`	`if (0 !== $this->process->execute($command, $output, $path)) {`
`177`	`177`	`throw new \RuntimeException(`
`178`	`178`	`'Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput()`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ public function initialize()`
`68`	`68`
`69`	`69`	`$repoDir = $this->repoDir;`
`70`	`70`	`$command = function ($url) use ($repoDir) {`
`71`		`- return sprintf('hg clone --noupdate %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($repoDir));`
	`71`	`+ return sprintf('hg clone --noupdate -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($repoDir));`
`72`	`72`	`};`
`73`	`73`
`74`	`74`	`$hgUtils->runCommand($command, $this->url, null);`
`@@ -229,7 +229,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f`
`229`	`229`	`}`
`230`	`230`
`231`	`231`	`$processExecutor = new ProcessExecutor($io);`
`232`		`- $exit = $processExecutor->execute(sprintf('hg identify %s', ProcessExecutor::escape($url)), $ignored);`
	`232`	`+ $exit = $processExecutor->execute(sprintf('hg identify -- %s', ProcessExecutor::escape($url)), $ignored);`
`233`	`233`
`234`	`234`	`return $exit === 0;`
`235`	`235`	`}`
Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,7 @@ protected function doAuthDance()`
`224`	`224`	`protected function getCommand($cmd, $url, $path = null)`
`225`	`225`	`{`
`226`	`226`	`$cmd = sprintf(`
`227`		`- '%s %s%s %s',`
	`227`	`+ '%s %s%s -- %s',`
`228`	`228`	`$cmd,`
`229`	`229`	`'--non-interactive ',`
`230`	`230`	`$this->getCredentialString(),`