From 1ee90207d092f6b3b6ca2068cead8b23548a0cac Mon Sep 17 00:00:00 2001 From: Matt Farina Date: Wed, 30 Mar 2022 13:34:39 -0400 Subject: [PATCH 1/2] Some fixes Signed-off-by: Matt Farina --- bzr.go | 10 +++++----- git.go | 10 +++++----- hg.go | 10 +++++----- svn.go | 8 ++++---- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/bzr.go b/bzr.go index 8343d3c..9803d20 100644 --- a/bzr.go +++ b/bzr.go @@ -80,7 +80,7 @@ func (s *BzrRepo) Get() error { } } - out, err := s.run("bzr", "branch", s.Remote(), s.LocalPath()) + out, err := s.run("bzr", "branch", "--", s.Remote(), s.LocalPath()) if err != nil { return NewRemoteError("Unable to get repository", err, string(out)) } @@ -90,7 +90,7 @@ func (s *BzrRepo) Get() error { // Init initializes a bazaar repository at local location. func (s *BzrRepo) Init() error { - out, err := s.run("bzr", "init", s.LocalPath()) + out, err := s.run("bzr", "init", "--", s.LocalPath()) // There are some windows cases where bazaar cannot create the parent // directory if it does not already exist, to the location it's trying @@ -104,7 +104,7 @@ func (s *BzrRepo) Init() error { return NewLocalError("Unable to initialize repository", err, "") } - out, err = s.run("bzr", "init", s.LocalPath()) + out, err = s.run("bzr", "init", "--", s.LocalPath()) if err != nil { return NewLocalError("Unable to initialize repository", err, string(out)) } @@ -310,13 +310,13 @@ func (s *BzrRepo) Ping() bool { // This is the same command that Go itself uses but it's not fast (or fast // enough by my standards). A faster method would be useful. - _, err = s.run("bzr", "info", s.Remote()) + _, err = s.run("bzr", "info", "--", s.Remote()) return err == nil } // ExportDir exports the current revision to the passed in directory. func (s *BzrRepo) ExportDir(dir string) error { - out, err := s.RunFromDir("bzr", "export", dir) + out, err := s.RunFromDir("bzr", "export", "--", dir) s.log(out) if err != nil { return NewLocalError("Unable to export source", err, string(out)) diff --git a/git.go b/git.go index b449480..2da0274 100644 --- a/git.go +++ b/git.go @@ -71,7 +71,7 @@ func (s GitRepo) Vcs() Type { // Get is used to perform an initial clone of a repository. func (s *GitRepo) Get() error { - out, err := s.run("git", "clone", "--recursive", s.Remote(), s.LocalPath()) + out, err := s.run("git", "clone", "--recursive", "--", s.Remote(), s.LocalPath()) // There are some windows cases where Git cannot create the parent directory, // if it does not already exist, to the location it's trying to create the @@ -85,7 +85,7 @@ func (s *GitRepo) Get() error { return NewLocalError("Unable to create directory", err, "") } - out, err = s.run("git", "clone", s.Remote(), s.LocalPath()) + out, err = s.run("git", "clone", "--recursive", "--", s.Remote(), s.LocalPath()) if err != nil { return NewRemoteError("Unable to get repository", err, string(out)) } @@ -101,7 +101,7 @@ func (s *GitRepo) Get() error { // Init initializes a git repository at local location. func (s *GitRepo) Init() error { - out, err := s.run("git", "init", s.LocalPath()) + out, err := s.run("git", "init", "--", s.LocalPath()) // There are some windows cases where Git cannot create the parent directory, // if it does not already exist, to the location it's trying to create the @@ -115,7 +115,7 @@ func (s *GitRepo) Init() error { return NewLocalError("Unable to initialize repository", err, "") } - out, err = s.run("git", "init", s.LocalPath()) + out, err = s.run("git", "init", "--", s.LocalPath()) if err != nil { return NewLocalError("Unable to initialize repository", err, string(out)) } @@ -132,7 +132,7 @@ func (s *GitRepo) Init() error { // Update performs an Git fetch and pull to an existing checkout. func (s *GitRepo) Update() error { // Perform a fetch to make sure everything is up to date. - out, err := s.RunFromDir("git", "fetch", "--tags", s.RemoteLocation) + out, err := s.RunFromDir("git", "fetch", "--tags", "--", s.RemoteLocation) if err != nil { return NewRemoteError("Unable to update repository", err, string(out)) } diff --git a/hg.go b/hg.go index ee3e0d9..11e012c 100644 --- a/hg.go +++ b/hg.go @@ -72,7 +72,7 @@ func (s HgRepo) Vcs() Type { // Get is used to perform an initial clone of a repository. func (s *HgRepo) Get() error { - out, err := s.run("hg", "clone", s.Remote(), s.LocalPath()) + out, err := s.run("hg", "clone", "--", s.Remote(), s.LocalPath()) if err != nil { return NewRemoteError("Unable to get repository", err, string(out)) } @@ -81,7 +81,7 @@ func (s *HgRepo) Get() error { // Init will initialize a mercurial repository at local location. func (s *HgRepo) Init() error { - out, err := s.run("hg", "init", s.LocalPath()) + out, err := s.run("hg", "init", "--", s.LocalPath()) if err != nil { return NewLocalError("Unable to initialize repository", err, string(out)) } @@ -100,7 +100,7 @@ func (s *HgRepo) UpdateVersion(version string) error { return NewLocalError("Unable to update checked out version", err, string(out)) } if len(strings.TrimSpace(version)) > 0 { - out, err = s.RunFromDir("hg", "update", version) + out, err = s.RunFromDir("hg", "update", "--", version) } else { out, err = s.RunFromDir("hg", "update") } @@ -310,14 +310,14 @@ func (s *HgRepo) TagsFromCommit(id string) ([]string, error) { // Ping returns if remote location is accessible. func (s *HgRepo) Ping() bool { - _, err := s.run("hg", "identify", s.Remote()) + _, err := s.run("hg", "identify", "--", s.Remote()) return err == nil } // ExportDir exports the current revision to the passed in directory. func (s *HgRepo) ExportDir(dir string) error { - out, err := s.RunFromDir("hg", "archive", dir) + out, err := s.RunFromDir("hg", "archive", "--", dir) s.log(out) if err != nil { return NewLocalError("Unable to export source", err, string(out)) diff --git a/svn.go b/svn.go index 913f90a..0c382c9 100644 --- a/svn.go +++ b/svn.go @@ -37,7 +37,7 @@ func NewSvnRepo(remote, local string) (*SvnRepo, error) { if err == nil && r.CheckLocal() { // An SVN repo was found so test that the URL there matches // the repo passed in here. - out, err := exec.Command("svn", "info", local).CombinedOutput() + out, err := exec.Command("svn", "info", "--", local).CombinedOutput() if err != nil { return nil, NewLocalError("Unable to retrieve local repo information", err, string(out)) } @@ -80,7 +80,7 @@ func (s *SvnRepo) Get() error { } else if runtime.GOOS == "windows" && filepath.VolumeName(remote) != "" { remote = "file:///" + remote } - out, err := s.run("svn", "checkout", remote, s.LocalPath()) + out, err := s.run("svn", "checkout", "--", remote, s.LocalPath()) if err != nil { return NewRemoteError("Unable to get repository", err, string(out)) } @@ -341,14 +341,14 @@ func (s *SvnRepo) TagsFromCommit(id string) ([]string, error) { // Ping returns if remote location is accessible. func (s *SvnRepo) Ping() bool { - _, err := s.run("svn", "--non-interactive", "info", s.Remote()) + _, err := s.run("svn", "--non-interactive", "info", "--", s.Remote()) return err == nil } // ExportDir exports the current revision to the passed in directory. func (s *SvnRepo) ExportDir(dir string) error { - out, err := s.RunFromDir("svn", "export", ".", dir) + out, err := s.RunFromDir("svn", "export", "--", ".", dir) s.log(out) if err != nil { return NewLocalError("Unable to export source", err, string(out)) From 2e485aa520c2055912ddd57de3196a6386bc07b4 Mon Sep 17 00:00:00 2001 From: Matt Farina Date: Wed, 30 Mar 2022 16:01:45 -0400 Subject: [PATCH 2/2] Updating changelog Signed-off-by: Matt Farina --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0e349a..7453ca0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,10 @@ # Changelog -## 1.13.1 (2022-03-xx) +## 1.13.2 (2022-03-30) ### Fixed +- Fix for CVE-2022-21235 - #103: Fixed CI testing. This included moving to GitHub Actions, updating the the Git submodule handling, and skipping bzr tests on Windows (bzr has discontinued and the installer now installs a broken environment)