Merge pull request from GHSA-h5h8-pc6h-jvvx

* Fix external process calls to avoid user input being able to pass extra parameters * Tweak some fixes
composer · Apr 27, 2021 · 083b735 · 083b735
1 parent 4dc293b
commit 083b735
Show file tree

Hide file tree

Showing 16 changed files with 48 additions and 48 deletions.
diff --git a/src/Composer/Downloader/FossilDownloader.php b/src/Composer/Downloader/FossilDownloader.php
@@ -32,15 +32,15 @@ public function doDownload(PackageInterface $package, $path, $url)
         $ref = ProcessExecutor::escape($package->getSourceReference());
         $repoFile = $path . '.fossil';
         $this->io->writeError("Cloning ".$package->getSourceReference());
-        $command = sprintf('fossil clone %s %s', $url, ProcessExecutor::escape($repoFile));
+        $command = sprintf('fossil clone -- %s %s', $url, ProcessExecutor::escape($repoFile));
         if (0 !== $this->process->execute($command, $ignoredOutput)) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
-        $command = sprintf('fossil open %s --nested', ProcessExecutor::escape($repoFile));
+        $command = sprintf('fossil open --nested -- %s', ProcessExecutor::escape($repoFile));
         if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
-        $command = sprintf('fossil update %s', $ref);
+        $command = sprintf('fossil update -- %s', $ref);
         if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }

diff --git a/src/Composer/Downloader/GitDownloader.php b/src/Composer/Downloader/GitDownloader.php
@@ -51,7 +51,7 @@ public function doDownload(PackageInterface $package, $path, $url)
         $gitVersion = GitUtil::getVersion($this->process);
         $msg = "Cloning ".$this->getShortHash($ref);
 
-        $command = 'git clone --no-checkout %url% %path% && cd '.$flag.'%path% && git remote add composer %url% && git fetch composer && git remote set-url origin %sanitizedUrl% && git remote set-url composer %sanitizedUrl%';
+        $command = 'git clone --no-checkout -- %url% %path% && cd '.$flag.'%path% && git remote add composer -- %url% && git fetch composer && git remote set-url origin -- %sanitizedUrl% && git remote set-url composer -- %sanitizedUrl%';
         if ($gitVersion && version_compare($gitVersion, '2.3.0-rc0', '>=') && Cache::isUsable($cachePath)) {
             $this->io->writeError('', true, IOInterface::DEBUG);
             $this->io->writeError(sprintf('    Cloning to cache at %s', ProcessExecutor::escape($cachePath)), true, IOInterface::DEBUG);
@@ -63,7 +63,7 @@ public function doDownload(PackageInterface $package, $path, $url)
                     $command =
                         'git clone --no-checkout %cachePath% %path% --dissociate --reference %cachePath% '
                         . '&& cd '.$flag.'%path% '
-                        . '&& git remote set-url origin %sanitizedUrl% && git remote add composer %sanitizedUrl%';
+                        . '&& git remote set-url origin -- %sanitizedUrl% && git remote add composer -- %sanitizedUrl%';
                     $msg = "Cloning ".$this->getShortHash($ref).' from cache';
                 }
             } catch (\RuntimeException $e) {
@@ -125,7 +125,7 @@ public function doUpdate(PackageInterface $initial, PackageInterface $target, $p
 
         $ref = $target->getSourceReference();
         $this->io->writeError(" Checking out ".$this->getShortHash($ref));
-        $command = '(git remote set-url composer %s && git rev-parse --quiet --verify %s || (git fetch composer && git fetch --tags composer)) && git remote set-url composer %s';
+        $command = '(git remote set-url composer -- %s && git rev-parse --quiet --verify %s || (git fetch composer && git fetch --tags composer)) && git remote set-url composer -- %s';
 
         $commandCallable = function ($url) use ($command, $ref) {
             return sprintf(
@@ -411,7 +411,7 @@ protected function updateToCommit($path, $reference, $branch, $date)
 
     protected function updateOriginUrl($path, $url)
     {
-        $this->process->execute(sprintf('git remote set-url origin %s', ProcessExecutor::escape($url)), $output, $path);
+        $this->process->execute(sprintf('git remote set-url origin -- %s', ProcessExecutor::escape($url)), $output, $path);
         $this->setPushUrl($path, $url);
     }
 
@@ -424,7 +424,7 @@ protected function setPushUrl($path, $url)
             if (!in_array('ssh', $protocols, true)) {
                 $pushUrl = 'https://' . $match[1] . '/'.$match[2].'/'.$match[3].'.git';
             }
-            $cmd = sprintf('git remote set-url --push origin %s', ProcessExecutor::escape($pushUrl));
+            $cmd = sprintf('git remote set-url --push origin -- %s', ProcessExecutor::escape($pushUrl));
             $this->process->execute($cmd, $ignoredOutput, $path);
         }
     }

diff --git a/src/Composer/Downloader/GzipDownloader.php b/src/Composer/Downloader/GzipDownloader.php
@@ -42,7 +42,7 @@ protected function extract($file, $path)
 
         // Try to use gunzip on *nix
         if (!Platform::isWindows()) {
-            $command = 'gzip -cd ' . ProcessExecutor::escape($file) . ' > ' . ProcessExecutor::escape($targetFilepath);
+            $command = 'gzip -cd -- ' . ProcessExecutor::escape($file) . ' > ' . ProcessExecutor::escape($targetFilepath);
 
             if (0 === $this->process->execute($command, $ignoredOutput)) {
                 return;

diff --git a/src/Composer/Downloader/HgDownloader.php b/src/Composer/Downloader/HgDownloader.php
@@ -29,13 +29,13 @@ public function doDownload(PackageInterface $package, $path, $url)
         $hgUtils = new HgUtils($this->io, $this->config, $this->process);
 
         $cloneCommand = function ($url) use ($path) {
-            return sprintf('hg clone %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($path));
+            return sprintf('hg clone -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($path));
         };
 
         $hgUtils->runCommand($cloneCommand, $url, $path);
 
         $ref = ProcessExecutor::escape($package->getSourceReference());
-        $command = sprintf('hg up %s', $ref);
+        $command = sprintf('hg up -- %s', $ref);
         if (0 !== $this->process->execute($command, $ignoredOutput, realpath($path))) {
             throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
         }
@@ -56,7 +56,7 @@ public function doUpdate(PackageInterface $initial, PackageInterface $target, $p
         }
 
         $command = function ($url) use ($ref) {
-            return sprintf('hg pull %s && hg up %s', ProcessExecutor::escape($url), ProcessExecutor::escape($ref));
+            return sprintf('hg pull -- %s && hg up -- %s', ProcessExecutor::escape($url), ProcessExecutor::escape($ref));
         };
 
         $hgUtils->runCommand($command, $url, $path);

diff --git a/src/Composer/Downloader/RarDownloader.php b/src/Composer/Downloader/RarDownloader.php
@@ -45,7 +45,7 @@ protected function extract($file, $path)
 
         // Try to use unrar on *nix
         if (!Platform::isWindows()) {
-            $command = 'unrar x ' . ProcessExecutor::escape($file) . ' ' . ProcessExecutor::escape($path) . ' >/dev/null && chmod -R u+w ' . ProcessExecutor::escape($path);
+            $command = 'unrar x -- ' . ProcessExecutor::escape($file) . ' ' . ProcessExecutor::escape($path) . ' >/dev/null && chmod -R u+w ' . ProcessExecutor::escape($path);
 
             if (0 === $this->process->execute($command, $ignoredOutput)) {
                 return;

diff --git a/src/Composer/Downloader/SvnDownloader.php b/src/Composer/Downloader/SvnDownloader.php
@@ -172,7 +172,7 @@ protected function getCommitLogs($fromReference, $toReference, $path)
     {
         if (preg_match('{.*@(\d+)$}', $fromReference) && preg_match('{.*@(\d+)$}', $toReference)) {
             // retrieve the svn base url from the checkout folder
-            $command = sprintf('svn info --non-interactive --xml %s', ProcessExecutor::escape($path));
+            $command = sprintf('svn info --non-interactive --xml -- %s', ProcessExecutor::escape($path));
             if (0 !== $this->process->execute($command, $output, $path)) {
                 throw new \RuntimeException(
                     'Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput()

diff --git a/src/Composer/Repository/Vcs/FossilDriver.php b/src/Composer/Repository/Vcs/FossilDriver.php
@@ -95,13 +95,13 @@ protected function updateLocalRepo()
 
             $fs->ensureDirectoryExists($this->checkoutDir);
 
-            if (0 !== $this->process->execute(sprintf('fossil clone %s %s', ProcessExecutor::escape($this->url), ProcessExecutor::escape($this->repoFile)), $output)) {
+            if (0 !== $this->process->execute(sprintf('fossil clone -- %s %s', ProcessExecutor::escape($this->url), ProcessExecutor::escape($this->repoFile)), $output)) {
                 $output = $this->process->getErrorOutput();
 
                 throw new \RuntimeException('Failed to clone '.$this->url.' to repository ' . $this->repoFile . "\n\n" .$output);
             }
 
-            if (0 !== $this->process->execute(sprintf('fossil open %s --nested', ProcessExecutor::escape($this->repoFile)), $output, $this->checkoutDir)) {
+            if (0 !== $this->process->execute(sprintf('fossil open --nested -- %s', ProcessExecutor::escape($this->repoFile)), $output, $this->checkoutDir)) {
                 $output = $this->process->getErrorOutput();
 
                 throw new \RuntimeException('Failed to open repository '.$this->repoFile.' in ' . $this->checkoutDir . "\n\n" .$output);
@@ -150,7 +150,7 @@ public function getDist($identifier)
      */
     public function getFileContent($file, $identifier)
     {
-        $command = sprintf('fossil cat -r %s %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
+        $command = sprintf('fossil cat -r %s -- %s', ProcessExecutor::escape($identifier), ProcessExecutor::escape($file));
         $this->process->execute($command, $content, $this->checkoutDir);
 
         if (!trim($content)) {

diff --git a/src/Composer/Repository/Vcs/GitDriver.php b/src/Composer/Repository/Vcs/GitDriver.php
@@ -227,7 +227,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f
 
         try {
             $gitUtil->runCommand(function ($url) {
-                return 'git ls-remote --heads ' . ProcessExecutor::escape($url);
+                return 'git ls-remote --heads -- ' . ProcessExecutor::escape($url);
             }, $url, sys_get_temp_dir());
         } catch (\RuntimeException $e) {
             return false;

diff --git a/src/Composer/Repository/Vcs/HgDriver.php b/src/Composer/Repository/Vcs/HgDriver.php
@@ -68,7 +68,7 @@ public function initialize()
 
                 $repoDir = $this->repoDir;
                 $command = function ($url) use ($repoDir) {
-                    return sprintf('hg clone --noupdate %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($repoDir));
+                    return sprintf('hg clone --noupdate -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($repoDir));
                 };
 
                 $hgUtils->runCommand($command, $this->url, null);
@@ -229,7 +229,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f
         }
 
         $processExecutor = new ProcessExecutor($io);
-        $exit = $processExecutor->execute(sprintf('hg identify %s', ProcessExecutor::escape($url)), $ignored);
+        $exit = $processExecutor->execute(sprintf('hg identify -- %s', ProcessExecutor::escape($url)), $ignored);
 
         return $exit === 0;
     }

diff --git a/src/Composer/Repository/Vcs/SvnDriver.php b/src/Composer/Repository/Vcs/SvnDriver.php
@@ -310,7 +310,7 @@ public static function supports(IOInterface $io, Config $config, $url, $deep = f
         $processExecutor = new ProcessExecutor($io);
 
         $exit = $processExecutor->execute(
-            "svn info --non-interactive ".ProcessExecutor::escape($url),
+            "svn info --non-interactive -- ".ProcessExecutor::escape($url),
             $ignoredOutput
         );
 

diff --git a/src/Composer/Util/Git.php b/src/Composer/Util/Git.php
@@ -254,7 +254,7 @@ public function syncMirror($url, $dir)
                 $commandCallable = function ($url) {
                     $sanitizedUrl = preg_replace('{://([^@]+?):(.+?)@}', '://', $url);
 
-                    return sprintf('git remote set-url origin %s && git remote update --prune origin && git remote set-url origin %s', ProcessExecutor::escape($url), ProcessExecutor::escape($sanitizedUrl));
+                    return sprintf('git remote set-url origin -- %s && git remote update --prune origin && git remote set-url origin -- %s', ProcessExecutor::escape($url), ProcessExecutor::escape($sanitizedUrl));
                 };
                 $this->runCommand($commandCallable, $url, $dir);
             } catch (\Exception $e) {
@@ -270,7 +270,7 @@ public function syncMirror($url, $dir)
         $this->filesystem->removeDirectory($dir);
 
         $commandCallable = function ($url) use ($dir) {
-            return sprintf('git clone --mirror %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($dir));
+            return sprintf('git clone --mirror -- %s %s', ProcessExecutor::escape($url), ProcessExecutor::escape($dir));
         };
 
         $this->runCommand($commandCallable, $url, $dir, true);

diff --git a/src/Composer/Util/Svn.php b/src/Composer/Util/Svn.php
@@ -224,7 +224,7 @@ protected function doAuthDance()
     protected function getCommand($cmd, $url, $path = null)
     {
         $cmd = sprintf(
-            '%s %s%s %s',
+            '%s %s%s -- %s',
             $cmd,
             '--non-interactive ',
             $this->getCredentialString(),

diff --git a/tests/Composer/Test/Downloader/FossilDownloaderTest.php b/tests/Composer/Test/Downloader/FossilDownloaderTest.php
@@ -70,19 +70,19 @@ public function testDownload()
             ->will($this->returnValue(array('http://fossil.kd2.org/kd2fw/')));
         $processExecutor = $this->getMockBuilder('Composer\Util\ProcessExecutor')->getMock();
 
-        $expectedFossilCommand = $this->getCmd('fossil clone \'http://fossil.kd2.org/kd2fw/\' \'repo.fossil\'');
+        $expectedFossilCommand = $this->getCmd('fossil clone -- \'http://fossil.kd2.org/kd2fw/\' \'repo.fossil\'');
         $processExecutor->expects($this->at(0))
             ->method('execute')
             ->with($this->equalTo($expectedFossilCommand))
             ->will($this->returnValue(0));
 
-        $expectedFossilCommand = $this->getCmd('fossil open \'repo.fossil\' --nested');
+        $expectedFossilCommand = $this->getCmd('fossil open --nested -- \'repo.fossil\'');
         $processExecutor->expects($this->at(1))
             ->method('execute')
             ->with($this->equalTo($expectedFossilCommand))
             ->will($this->returnValue(0));
 
-        $expectedFossilCommand = $this->getCmd('fossil update \'trunk\'');
+        $expectedFossilCommand = $this->getCmd('fossil update -- \'trunk\'');
         $processExecutor->expects($this->at(2))
             ->method('execute')
             ->with($this->equalTo($expectedFossilCommand))