Commit c46eaca9 authored by Nigel Kukard's avatar Nigel Kukard

More escaping

- Database name may contain characters which are not shell friendly
- Database password could contain the same
- While we at it there is no harm in escaping generated paths too
- Refactored 2-line system(command)
Signed-off-by: default avatarNigel Kukard <nkukard@lbsd.net>
parent ee0e9830
require 'yaml'
require 'shellwords'
module Backup
class Database
......@@ -13,20 +14,20 @@ module Backup
def dump
case config["adapter"]
when /^mysql/ then
system("mysqldump #{mysql_args} #{config['database']} > #{db_file_name}")
system("mysqldump #{mysql_args} #{Shellwords.shellescape(config['database'])} > #{Shellwords.shellescape(db_file_name)}")
when "postgresql" then
pg_env
system("pg_dump #{config['database']} > #{db_file_name}")
system("pg_dump #{Shellwords.shellescape(config['database'])} > #{db_file_name}")
end
end
def restore
case config["adapter"]
when /^mysql/ then
system("mysql #{mysql_args} #{config['database']} < #{db_file_name}")
system("mysql #{mysql_args} #{Shellwords.shellescape(config['database'])} < #{db_file_name}")
when "postgresql" then
pg_env
system("psql #{config['database']} -f #{db_file_name}")
system("psql #{Shellwords.shellescape(config['database'])} -f #{Shellwords.shellescape(db_file_name)}")
end
end
......@@ -45,7 +46,7 @@ module Backup
'encoding' => '--default-character-set',
'password' => '--password'
}
args.map { |opt, arg| "#{arg}='#{config[opt]}'" if config[opt] }.compact.join(' ')
args.map { |opt, arg| "#{arg}=#{Shellwords.shellescape(config[opt])}" if config[opt] }.compact.join(' ')
end
def pg_env
......
require 'yaml'
require 'shellwords'
module Backup
class Repository
......@@ -18,7 +19,7 @@ module Backup
# Create namespace dir if missing
FileUtils.mkdir_p(File.join(backup_repos_path, project.namespace.path)) if project.namespace
if system("cd #{path_to_repo(project)} > /dev/null 2>&1 && git bundle create #{path_to_bundle(project)} --all > /dev/null 2>&1")
if system("cd #{Shellwords.shellescape(path_to_repo(project))} > /dev/null 2>&1 && git bundle create #{Shellwords.shellescape(path_to_bundle(project))} --all > /dev/null 2>&1")
puts "[DONE]".green
else
puts "[FAILED]".red
......@@ -30,7 +31,7 @@ module Backup
print " * #{wiki.path_with_namespace} ... "
if wiki.empty?
puts " [SKIPPED]".cyan
elsif system("cd #{path_to_repo(wiki)} > /dev/null 2>&1 && git bundle create #{path_to_bundle(wiki)} --all > /dev/null 2>&1")
elsif system("cd #{Shellwords.shellescape(path_to_repo(wiki))} > /dev/null 2>&1 && git bundle create #{Shellwords.shellescape(path_to_bundle(wiki))} --all > /dev/null 2>&1")
puts " [DONE]".green
else
puts " [FAILED]".red
......@@ -53,7 +54,7 @@ module Backup
project.namespace.ensure_dir_exist if project.namespace
if system("git clone --bare #{path_to_bundle(project)} #{path_to_repo(project)} > /dev/null 2>&1")
if system("git clone --bare #{Shellwords.shellescape(path_to_bundle(project))} #{Shellwords.shellescape(path_to_repo(project))} > /dev/null 2>&1")
puts "[DONE]".green
else
puts "[FAILED]".red
......@@ -63,7 +64,7 @@ module Backup
if File.exists?(path_to_bundle(wiki))
print " * #{wiki.path_with_namespace} ... "
if system("git clone --bare #{path_to_bundle(wiki)} #{path_to_repo(wiki)} > /dev/null 2>&1")
if system("git clone --bare #{Shellwords.shellescape(path_to_bundle(wiki))} #{Shellwords.shellescape(path_to_repo(wiki))} > /dev/null 2>&1")
puts " [DONE]".green
else
puts " [FAILED]".red
......
require "spec_helper"
require "shellwords"
describe GollumWiki do
def create_temp_repo(path)
FileUtils.mkdir_p path
command = "git init --quiet #{path};"
system(command)
system("git init --quiet #{Shellwords.shellescape(path)}")
end
def remove_temp_repo(path)
......
require "spec_helper"
require "shellwords"
describe WikiPage do
def create_temp_repo(path)
FileUtils.mkdir_p path
command = "git init --quiet #{path};"
system(command)
system("git init --quiet #{Shellwords.shellescape(path)}")
end
def remove_temp_repo(path)
......
require 'rspec/mocks'
require 'shellwords'
module TestEnv
extend self
......@@ -102,7 +103,7 @@ module TestEnv
repo = repo(namespace, name)
# Symlink tmp/repositories/gitlabhq to tmp/test-git-base-path/gitlabhq
system("ln -s -f #{seed_repo_path()} #{repo}")
system("ln -s -f #{Shellwords.shellescape(seed_repo_path())} #{Shellwords.shellescape(repo)}")
create_satellite(repo, namespace, name)
end
......@@ -166,12 +167,11 @@ module TestEnv
# Symlink tmp/satellite/gitlabhq to tmp/test-git-base-path/satellite/gitlabhq, create the directory if it doesn't exist already
satellite_dir = File.dirname(satellite_repo)
FileUtils.mkdir_p(satellite_dir) unless File.exists?(satellite_dir)
system("ln -s -f #{seed_satellite_path} #{satellite_repo}")
system("ln -s -f #{Shellwords.shellescape(seed_satellite_path)} #{Shellwords.shellescape(satellite_repo)}")
end
def create_temp_repo(path)
FileUtils.mkdir_p path
command = "git init --quiet --bare #{path};"
system(command)
system("git init --quiet --bare #{Shellwords.shellescape(path)}")
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment