Skip to content

Commit

Permalink
Merge pull request #127 from CocoaPods/validate_before_dl
Browse files Browse the repository at this point in the history
Switches where we check for invalid input, to move it inside the download function
  • Loading branch information
dnkoutso authored Mar 28, 2022
2 parents 96679f2 + 99fec61 commit d2564c3
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 25 deletions.
9 changes: 9 additions & 0 deletions lib/cocoapods-downloader/base.rb
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ def name
# @return [void]
#
def download
validate_input
ui_action("#{name} download") do
target_path.mkpath
download!
Expand Down Expand Up @@ -121,6 +122,14 @@ def checkout_options
raise 'Abstract method'
end

# Provides a before-download check for safety of the options in the
# concrete downloader.
#
# @return [void]
#
def validate_input
end

# Returns a User-Agent string that itentifies http network requests as
# originating from CocoaPods.
# Contains version numbers from the CocoaPods Gem and the cocoapods-downloader Gem.
Expand Down
15 changes: 7 additions & 8 deletions lib/cocoapods-downloader/git.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ def checkout_options
end

def self.preprocess_options(options)
validate_input options
return options unless options[:branch]

command = ['ls-remote',
Expand Down Expand Up @@ -58,13 +57,7 @@ def self.commit_from_ls_remote(output, branch_name)
match[1] unless match.nil?
end

def self.validate_input(options)
input = [options[:git], options[:branch], options[:commit], options[:tag]].map(&:to_s)
invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') }
raise DownloaderError, "Provided unsafe input for git #{options}." if invalid
end

private_class_method :commit_from_ls_remote, :validate_input
private_class_method :commit_from_ls_remote

private

Expand Down Expand Up @@ -160,6 +153,12 @@ def checkout_commit
def target_git(*args)
git!(['-C', target_path] + args)
end

def validate_input
input = [url, options[:branch], options[:commit], options[:tag]].map(&:to_s)
invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') }
raise DownloaderError, "Provided unsafe input for git #{options}." if invalid
end
end
end
end
19 changes: 6 additions & 13 deletions lib/cocoapods-downloader/mercurial.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,19 +18,6 @@ def checkout_options
end
end

def self.preprocess_options(options)
validate_input options
options
end

def self.validate_input(options)
input = [options[:hg], options[:revision], options[:branch], options[:tag]].map(&:to_s)
invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') }
raise DownloaderError, "Provided unsafe input for hg #{options}." if invalid
end

private_class_method :validate_input

private

executable :hg
Expand Down Expand Up @@ -62,6 +49,12 @@ def download_tag!
def download_branch!
hg! 'clone', url, '--updaterev', options[:branch], @target_path
end

def validate_input
input = [url, options[:revision], options[:branch], options[:tag]].map(&:to_s)
invalid = input.compact.any? { |value| value.start_with?('--') || value.include?(' --') }
raise DownloaderError, "Provided unsafe input for hg #{options}." if invalid
end
end
end
end
6 changes: 3 additions & 3 deletions spec/git_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -294,19 +294,19 @@ def ensure_only_one_ref(folder)
describe ':bad input' do
it 'bails when you provide a bad input' do
options = { :git => '--upload-pack=touch ./HELLO1;', :branch => 'foo' }
e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError
e = lambda { Downloader.for_target(tmp_folder, options).download }.should.raise DownloaderError
e.message.should.match /Provided unsafe input/
end

it 'bails when you provide a bad input after valid input' do
options = { :git => 'github.com --upload-pack=touch ./HELLO1;', :branch => 'foo' }
e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError
e = lambda { Downloader.for_target(tmp_folder, options).download }.should.raise DownloaderError
e.message.should.match /Provided unsafe input/
end

it 'bails with other fields' do
options = { :branch => '--upload-pack=touch ./HELLO1;', :git => 'foo' }
e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError
e = lambda { Downloader.for_target(tmp_folder, options).download }.should.raise DownloaderError
e.message.should.match /Provided unsafe input/
end
end
Expand Down
8 changes: 7 additions & 1 deletion spec/mercurial_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,13 @@ module Downloader
describe ':bad input' do
it 'bails when you provide a bad input' do
options = { :hg => '--config=alias.clone=!touch ./HELLO2;' }
e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError
e = lambda { Downloader.for_target(tmp_folder, options).download }.should.raise DownloaderError
e.message.should.match /Provided unsafe input/
end

it 'bails when you provide a bad input2' do
options = { :hg => 'foo/bar', :revision => '--config=alias.clone=!touch ./HELLO3;' }
e = lambda { Downloader.for_target(tmp_folder, options).download }.should.raise DownloaderError
e.message.should.match /Provided unsafe input/
end
end
Expand Down

0 comments on commit d2564c3

Please sign in to comment.