Fix escape of filenames in bundle doctor

rubygems · Nov 27, 2021 · 3ede143 · 3ede143
1 parent 1e12c5d
commit 3ede143
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/bundler/lib/bundler/cli/doctor.rb b/bundler/lib/bundler/cli/doctor.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "rbconfig"
+require "shellwords"
 
 module Bundler
   class CLI::Doctor
@@ -22,14 +23,14 @@ def ldd_available?
     end
 
     def dylibs_darwin(path)
-      output = `/usr/bin/otool -L "#{path}"`.chomp
+      output = `/usr/bin/otool -L #{path.shellescape}`.chomp
       dylibs = output.split("\n")[1..-1].map {|l| l.match(DARWIN_REGEX).captures[0] }.uniq
       # ignore @rpath and friends
       dylibs.reject {|dylib| dylib.start_with? "@" }
     end
 
     def dylibs_ldd(path)
-      output = `/usr/bin/ldd "#{path}"`.chomp
+      output = `/usr/bin/ldd #{path.shellescape}`.chomp
       output.split("\n").map do |l|
         match = l.match(LDD_REGEX)
         next if match.nil?

diff --git a/bundler/spec/commands/doctor_spec.rb b/bundler/spec/commands/doctor_spec.rb
@@ -133,4 +133,14 @@
       end
     end
   end
+
+  context "when home contains filesname with special characters" do
+    it "escape filename before command execute" do
+      doctor = Bundler::CLI::Doctor.new({})
+      expect(doctor).to receive(:`).with("/usr/bin/otool -L \\$\\(date\\)\\ \\\"\\'\\\\.bundle").and_return("dummy string")
+      doctor.dylibs_darwin('$(date) "\'\.bundle')
+      expect(doctor).to receive(:`).with("/usr/bin/ldd \\$\\(date\\)\\ \\\"\\'\\\\.bundle").and_return("dummy string")
+      doctor.dylibs_ldd('$(date) "\'\.bundle')
+    end
+  end
 end