mirror of
https://we.phorge.it/source/arcanist.git
synced 2024-12-22 21:40:54 +01:00
Fix dynamic string usage as safe input
Summary: This fixes some real issues. Test Plan: $ arc lint Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, btrahan Differential Revision: https://secure.phabricator.com/D4795
This commit is contained in:
parent
03199df925
commit
a9e316bf9c
9 changed files with 28 additions and 24 deletions
|
@ -38,7 +38,9 @@ final class ArcanistDiffUtils {
|
|||
Filesystem::writeFile($file_new, (string)$new."\n");
|
||||
|
||||
list($err, $stdout) = exec_manual(
|
||||
"/usr/bin/diff {$diff_options} -U {$context_lines} %s %s",
|
||||
'/usr/bin/diff %C -U %s %s %s',
|
||||
$diff_options,
|
||||
$context_lines,
|
||||
$file_old,
|
||||
$file_new);
|
||||
|
||||
|
|
|
@ -395,9 +395,8 @@ final class ArcanistHgProxyServer {
|
|||
// NOTE: "cmdserver.log=-" makes Mercurial use the 'd'ebug channel for
|
||||
// log messages.
|
||||
|
||||
$command = 'HGPLAIN=1 hg --config cmdserver.log=- serve --cmdserver pipe';
|
||||
|
||||
$future = new ExecFuture($command);
|
||||
$future = new ExecFuture(
|
||||
'HGPLAIN=1 hg --config cmdserver.log=- serve --cmdserver pipe');
|
||||
$future->setCWD($this->workingCopy);
|
||||
|
||||
$channel = new PhutilExecChannel($future);
|
||||
|
|
|
@ -102,8 +102,10 @@ final class ArcanistJSHintLinter extends ArcanistLinter {
|
|||
}
|
||||
|
||||
// Look for globally installed JSHint
|
||||
$cmd = (phutil_is_windows()) ? 'where %s' : 'which %s';
|
||||
list($err) = exec_manual($cmd, $bin);
|
||||
list($err) = (phutil_is_windows()
|
||||
? exec_manual('where %s', $bin)
|
||||
: exec_manual('which %s', $bin));
|
||||
|
||||
if ($err) {
|
||||
throw new ArcanistUsageException(
|
||||
"JSHint does not appear to be installed on this system. Install it ".
|
||||
|
|
|
@ -60,8 +60,10 @@ final class ArcanistPyFlakesLinter extends ArcanistLinter {
|
|||
$options = $this->getPyFlakesOptions();
|
||||
|
||||
$f = new ExecFuture(
|
||||
"/usr/bin/env PYTHONPATH=%s\$PYTHONPATH ".
|
||||
"{$pyflakes_bin} {$options}", $python_path);
|
||||
'/usr/bin/env PYTHONPATH=%s$PYTHONPATH %s %C',
|
||||
$python_path,
|
||||
$pyflakes_bin,
|
||||
$options);
|
||||
$f->write($this->getData($path));
|
||||
|
||||
try {
|
||||
|
|
|
@ -206,9 +206,11 @@ final class ArcanistPyLintLinter extends ArcanistLinter {
|
|||
|
||||
try {
|
||||
list($stdout, $_) = execx(
|
||||
"/usr/bin/env PYTHONPATH=%s\$PYTHONPATH ".
|
||||
"{$pylint_bin} {$options} {$path_on_disk}",
|
||||
$python_path);
|
||||
'/usr/bin/env PYTHONPATH=%s$PYTHONPATH %s %C %s',
|
||||
$python_path,
|
||||
$pylint_bin,
|
||||
$options,
|
||||
$path_on_disk);
|
||||
} catch (CommandException $e) {
|
||||
if ($e->getError() == 32) {
|
||||
// According to ##man pylint## the exit status of 32 means there was a
|
||||
|
|
|
@ -157,7 +157,7 @@ final class ArcanistBaseCommitParser {
|
|||
$matches = null;
|
||||
if (preg_match('/^exec\((.*)\)$/', $name, $matches)) {
|
||||
$root = $this->api->getWorkingCopyIdentity()->getProjectRoot();
|
||||
$future = new ExecFuture($matches[1]);
|
||||
$future = new ExecFuture('%C', $matches[1]);
|
||||
$future->setCWD($root);
|
||||
list($err, $stdout) = $future->resolve();
|
||||
if (!$err) {
|
||||
|
|
|
@ -101,17 +101,15 @@ final class ArcanistBundle {
|
|||
$path = Filesystem::resolvePath($path);
|
||||
|
||||
$future = new ExecFuture(
|
||||
csprintf(
|
||||
'tar tfO %s',
|
||||
$path));
|
||||
'tar tfO %s',
|
||||
$path);
|
||||
list($stdout, $file_list) = $future->resolvex();
|
||||
$file_list = explode("\n", trim($file_list));
|
||||
|
||||
if (in_array('meta.json', $file_list)) {
|
||||
$future = new ExecFuture(
|
||||
csprintf(
|
||||
'tar xfO %s meta.json',
|
||||
$path));
|
||||
'tar xfO %s meta.json',
|
||||
$path);
|
||||
$meta_info = $future->resolveJSON();
|
||||
$version = idx($meta_info, 'version', 0);
|
||||
$project_name = idx($meta_info, 'projectName');
|
||||
|
@ -130,9 +128,8 @@ final class ArcanistBundle {
|
|||
}
|
||||
|
||||
$future = new ExecFuture(
|
||||
csprintf(
|
||||
'tar xfO %s changes.json',
|
||||
$path));
|
||||
'tar xfO %s changes.json',
|
||||
$path);
|
||||
$changes = $future->resolveJSON();
|
||||
|
||||
foreach ($changes as $change_key => $change) {
|
||||
|
|
|
@ -25,8 +25,8 @@ EOTEXT
|
|||
|
||||
public function run() {
|
||||
phutil_passthru(
|
||||
dirname(phutil_get_library_root('arcanist')) . '/scripts/breakout.py'
|
||||
);
|
||||
'%s/scripts/breakout.py',
|
||||
dirname(phutil_get_library_root('arcanist')));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -868,7 +868,7 @@ EOTEXT
|
|||
fwrite(STDERR, "Reading diff from stdin...\n");
|
||||
$raw_diff = file_get_contents('php://stdin');
|
||||
} else if ($this->getArgument('raw-command')) {
|
||||
list($raw_diff) = execx($this->getArgument('raw-command'));
|
||||
list($raw_diff) = execx('%C', $this->getArgument('raw-command'));
|
||||
} else {
|
||||
throw new Exception("Unknown raw diff source.");
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue