New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.0.5 cocaine security fixes #5
Conversation
| @@ -144,12 +144,16 @@ def clone(url, rev, src_dir) | |||
| initial_time = Time.now | |||
|
|
|||
| with_git_mirror(url) do |mirror| | |||
| Cocaine::CommandLine.new("git clone --quiet --reference '#{mirror}' '#{url}'" \ | |||
| " '#{File.join(abs_clone_path, src_dir)}'").run | |||
| Cocaine::CommandLine.new('git clone --quiet --reference', ':var') | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be easier to read with separate named args, i.e.
Cocaine::CommandLine.new('git clone', '--quiet --reference :mirror :repository :directory')
.run(mirror: mirror, repository: url, directory: File.join(abs_clone_path, src_dir))
|
LGTM though it would be nice to polish this later. |
|
Gonna clean it up |
|
The code isn't the prettiest, but it does look safe after reading through it. This is safe from the two POCs I provided. I'm really not an expert on Cocaine::CommandLine though. I'd echo @dlubarov and suggest you use use multiple meaningfully named parameters in It looks like you're using the interpolations from Cocaine correctly and safely now. |
|
Yeah, it's really difficult to follow right now. I'll revert it and add the meaningfully-named parameters tomorrow. |
7778d2d
to
9c6a28e
Compare
1.0.5 cocaine security fixes
Fastclone is using cocaine improperly, allowing malicious command injection.