More escaping

- Database name may contain characters which are not shell friendly - Database password could contain the same - While we at it there is no harm in escaping generated paths too - Refactored 2-line system(command) Signed-off-by: Nigel Kukard <nkukard@lbsd.net>

More escaping
- Database name may contain characters which are not shell friendly - Database password could contain the same - While we at it there is no harm in escaping generated paths too - Refactored 2-line system(command) Signed-off-by: Nigel Kukard <nkukard@lbsd.net>
Nigel Kukard
1 parent ee0e9830
Showing 5 changed files with 19 additions and 17 deletions Show diff stats
lib/backup/database.rb
lib/backup/repository.rb
spec/models/gollum_wiki_spec.rb
spec/models/wiki_page_spec.rb
spec/support/test_env.rb
 require 'yaml'
+require 'shellwords'
  
 module Backup
   class Database
@@ -13,20 +14,20 @@ module Backup
     def dump
       case config["adapter"]
       when /^mysql/ then
-        system("mysqldump #{mysql_args} #{config['database']} > #{db_file_name}")
+        system("mysqldump #{mysql_args} #{Shellwords.shellescape(config['database'])} > #{Shellwords.shellescape(db_file_name)}")
       when "postgresql" then
         pg_env
-        system("pg_dump #{config['database']} > #{db_file_name}")
+        system("pg_dump #{Shellwords.shellescape(config['database'])} > #{db_file_name}")
       end
     end
  
     def restore
       case config["adapter"]
       when /^mysql/ then
-        system("mysql #{mysql_args} #{config['database']} < #{db_file_name}")
+        system("mysql #{mysql_args} #{Shellwords.shellescape(config['database'])} < #{db_file_name}")
       when "postgresql" then
         pg_env
-        system("psql #{config['database']} -f #{db_file_name}")
+        system("psql #{Shellwords.shellescape(config['database'])} -f #{Shellwords.shellescape(db_file_name)}")
       end
     end
  
@@ -45,7 +46,7 @@ module Backup
         'encoding'  => '--default-character-set',
         'password'  => '--password'
       }
-      args.map { |opt, arg| "#{arg}='#{config[opt]}'" if config[opt] }.compact.join(' ')
+      args.map { |opt, arg| "#{arg}=#{Shellwords.shellescape(config[opt])}" if config[opt] }.compact.join(' ')
     end
  
     def pg_env
 require 'yaml'
+require 'shellwords'
  
 module Backup
   class Repository
@@ -18,7 +19,7 @@ module Backup
         # Create namespace dir if missing
         FileUtils.mkdir_p(File.join(backup_repos_path, project.namespace.path)) if project.namespace
  
-        if system("cd #{path_to_repo(project)} > /dev/null 2>&1 && git bundle create #{path_to_bundle(project)} --all > /dev/null 2>&1")
+        if system("cd #{Shellwords.shellescape(path_to_repo(project))} > /dev/null 2>&1 && git bundle create #{Shellwords.shellescape(path_to_bundle(project))} --all > /dev/null 2>&1")
           puts "[DONE]".green
         else
           puts "[FAILED]".red
@@ -30,7 +31,7 @@ module Backup
           print " * #{wiki.path_with_namespace} ... "
           if wiki.empty?
             puts " [SKIPPED]".cyan
-          elsif system("cd #{path_to_repo(wiki)} > /dev/null 2>&1 && git bundle create #{path_to_bundle(wiki)} --all > /dev/null 2>&1")
+          elsif system("cd #{Shellwords.shellescape(path_to_repo(wiki))} > /dev/null 2>&1 && git bundle create #{Shellwords.shellescape(path_to_bundle(wiki))} --all > /dev/null 2>&1")
             puts " [DONE]".green
           else
             puts " [FAILED]".red
@@ -53,7 +54,7 @@ module Backup
  
         project.namespace.ensure_dir_exist if project.namespace
  
-        if system("git clone --bare #{path_to_bundle(project)} #{path_to_repo(project)} > /dev/null 2>&1")
+        if system("git clone --bare #{Shellwords.shellescape(path_to_bundle(project))} #{Shellwords.shellescape(path_to_repo(project))} > /dev/null 2>&1")
           puts "[DONE]".green
         else
           puts "[FAILED]".red
@@ -63,7 +64,7 @@ module Backup
  
         if File.exists?(path_to_bundle(wiki))
           print " * #{wiki.path_with_namespace} ... "
-          if system("git clone --bare #{path_to_bundle(wiki)} #{path_to_repo(wiki)} > /dev/null 2>&1")
+          if system("git clone --bare #{Shellwords.shellescape(path_to_bundle(wiki))} #{Shellwords.shellescape(path_to_repo(wiki))} > /dev/null 2>&1")
             puts " [DONE]".green
           else
             puts " [FAILED]".red
 require "spec_helper"
+require "shellwords"
  
 describe GollumWiki do
  
   def create_temp_repo(path)
     FileUtils.mkdir_p path
-    command = "git init --quiet #{path};"
-    system(command)
+    system("git init --quiet #{Shellwords.shellescape(path)}")
   end
  
   def remove_temp_repo(path)
 require "spec_helper"
+require "shellwords"
  
 describe WikiPage do
  
   def create_temp_repo(path)
     FileUtils.mkdir_p path
-    command = "git init --quiet #{path};"
-    system(command)
+    system("git init --quiet #{Shellwords.shellescape(path)}")
   end
  
   def remove_temp_repo(path)
 require 'rspec/mocks'
+require 'shellwords'
  
 module TestEnv
   extend self
@@ -102,7 +103,7 @@ module TestEnv
     repo = repo(namespace, name)
  
     # Symlink tmp/repositories/gitlabhq to tmp/test-git-base-path/gitlabhq
-    system("ln -s -f #{seed_repo_path()} #{repo}")
+    system("ln -s -f #{Shellwords.shellescape(seed_repo_path())} #{Shellwords.shellescape(repo)}")
     create_satellite(repo, namespace, name)
   end
  
@@ -166,12 +167,11 @@ module TestEnv
     # Symlink tmp/satellite/gitlabhq to tmp/test-git-base-path/satellite/gitlabhq, create the directory if it doesn't exist already
     satellite_dir = File.dirname(satellite_repo)
     FileUtils.mkdir_p(satellite_dir) unless File.exists?(satellite_dir)
-    system("ln -s -f #{seed_satellite_path} #{satellite_repo}")
+    system("ln -s -f #{Shellwords.shellescape(seed_satellite_path)} #{Shellwords.shellescape(satellite_repo)}")
   end
  
   def create_temp_repo(path)
     FileUtils.mkdir_p path
-    command = "git init --quiet --bare #{path};"
-    system(command)
+    system("git init --quiet --bare #{Shellwords.shellescape(path)}")
   end
 end
1	1	require 'yaml'
	2	+require 'shellwords'
2	3
3	4	module Backup
4	5	class Database
...	...	@@ -13,20 +14,20 @@ module Backup
13	14	def dump
14	15	case config["adapter"]
15	16	when /^mysql/ then
16		- system("mysqldump #{mysql_args} #{config['database']} > #{db_file_name}")
	17	+ system("mysqldump #{mysql_args} #{Shellwords.shellescape(config['database'])} > #{Shellwords.shellescape(db_file_name)}")
17	18	when "postgresql" then
18	19	pg_env
19		- system("pg_dump #{config['database']} > #{db_file_name}")
	20	+ system("pg_dump #{Shellwords.shellescape(config['database'])} > #{db_file_name}")
20	21	end
21	22	end
22	23
23	24	def restore
24	25	case config["adapter"]
25	26	when /^mysql/ then
26		- system("mysql #{mysql_args} #{config['database']} < #{db_file_name}")
	27	+ system("mysql #{mysql_args} #{Shellwords.shellescape(config['database'])} < #{db_file_name}")
27	28	when "postgresql" then
28	29	pg_env
29		- system("psql #{config['database']} -f #{db_file_name}")
	30	+ system("psql #{Shellwords.shellescape(config['database'])} -f #{Shellwords.shellescape(db_file_name)}")
30	31	end
31	32	end
32	33
...	...	@@ -45,7 +46,7 @@ module Backup
45	46	'encoding' => '--default-character-set',
46	47	'password' => '--password'
47	48	}
48		- args.map { \|opt, arg\| "#{arg}='#{config[opt]}'" if config[opt] }.compact.join(' ')
	49	+ args.map { \|opt, arg\| "#{arg}=#{Shellwords.shellescape(config[opt])}" if config[opt] }.compact.join(' ')
49	50	end
50	51
51	52	def pg_env
...	...
1	1	require "spec_helper"
	2	+require "shellwords"
2	3
3	4	describe GollumWiki do
4	5
5	6	def create_temp_repo(path)
6	7	FileUtils.mkdir_p path
7		- command = "git init --quiet #{path};"
8		- system(command)
	8	+ system("git init --quiet #{Shellwords.shellescape(path)}")
9	9	end
10	10
11	11	def remove_temp_repo(path)
...	...
1	1	require "spec_helper"
	2	+require "shellwords"
2	3
3	4	describe WikiPage do
4	5
5	6	def create_temp_repo(path)
6	7	FileUtils.mkdir_p path
7		- command = "git init --quiet #{path};"
8		- system(command)
	8	+ system("git init --quiet #{Shellwords.shellescape(path)}")
9	9	end
10	10
11	11	def remove_temp_repo(path)
...	...
1	1	require 'rspec/mocks'
	2	+require 'shellwords'
2	3
3	4	module TestEnv
4	5	extend self
...	...	@@ -102,7 +103,7 @@ module TestEnv
102	103	repo = repo(namespace, name)
103	104
104	105	# Symlink tmp/repositories/gitlabhq to tmp/test-git-base-path/gitlabhq
105		- system("ln -s -f #{seed_repo_path()} #{repo}")
	106	+ system("ln -s -f #{Shellwords.shellescape(seed_repo_path())} #{Shellwords.shellescape(repo)}")
106	107	create_satellite(repo, namespace, name)
107	108	end
108	109
...	...	@@ -166,12 +167,11 @@ module TestEnv
166	167	# Symlink tmp/satellite/gitlabhq to tmp/test-git-base-path/satellite/gitlabhq, create the directory if it doesn't exist already
167	168	satellite_dir = File.dirname(satellite_repo)
168	169	FileUtils.mkdir_p(satellite_dir) unless File.exists?(satellite_dir)
169		- system("ln -s -f #{seed_satellite_path} #{satellite_repo}")
	170	+ system("ln -s -f #{Shellwords.shellescape(seed_satellite_path)} #{Shellwords.shellescape(satellite_repo)}")
170	171	end
171	172
172	173	def create_temp_repo(path)
173	174	FileUtils.mkdir_p path
174		- command = "git init --quiet --bare #{path};"
175		- system(command)
	175	+ system("git init --quiet --bare #{Shellwords.shellescape(path)}")
176	176	end
177	177	end
...	...