Fix dynamic string usage as safe input

Summary: This fixes some real issues. Test Plan: $ arc lint Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, btrahan Differential Revision: https://secure.phabricator.com/D4795
2024-11-22 14:52:40 +01:00 · 2013-02-02 13:07:39 -08:00 · 2013-02-02 13:07:39 -08:00 · a9e316bf9c
commit a9e316bf9c
parent 03199df925
9 changed files with 28 additions and 24 deletions
--- a/src/difference/ArcanistDiffUtils.php
+++ b/src/difference/ArcanistDiffUtils.php
@ -38,7 +38,9 @@ final class ArcanistDiffUtils {
    Filesystem::writeFile($file_new, (string)$new."\n");
    list($err, $stdout) = exec_manual(
-      "/usr/bin/diff {$diff_options} -U {$context_lines} %s %s",
+      '/usr/bin/diff %C -U %s %s %s',
      $diff_options,
      $context_lines,
      $file_old,
      $file_new);
--- a/src/hgdaemon/ArcanistHgProxyServer.php
+++ b/src/hgdaemon/ArcanistHgProxyServer.php
@ -395,9 +395,8 @@ final class ArcanistHgProxyServer {
    // NOTE: "cmdserver.log=-" makes Mercurial use the 'd'ebug channel for
    // log messages.
-    $command = 'HGPLAIN=1 hg --config cmdserver.log=- serve --cmdserver pipe';
+    $future = new ExecFuture(
-
+      'HGPLAIN=1 hg --config cmdserver.log=- serve --cmdserver pipe');
    $future = new ExecFuture($command);
    $future->setCWD($this->workingCopy);
    $channel = new PhutilExecChannel($future);
--- a/src/lint/linter/ArcanistJSHintLinter.php
+++ b/src/lint/linter/ArcanistJSHintLinter.php
@ -102,8 +102,10 @@ final class ArcanistJSHintLinter extends ArcanistLinter {
    }
    // Look for globally installed JSHint
-    $cmd = (phutil_is_windows()) ? 'where %s' : 'which %s';
+    list($err) = (phutil_is_windows()
-    list($err) = exec_manual($cmd, $bin);
+      ? exec_manual('where %s', $bin)
      : exec_manual('which %s', $bin));
    if ($err) {
      throw new ArcanistUsageException(
        "JSHint does not appear to be installed on this system. Install it ".
--- a/src/lint/linter/ArcanistPyFlakesLinter.php
+++ b/src/lint/linter/ArcanistPyFlakesLinter.php
@ -60,8 +60,10 @@ final class ArcanistPyFlakesLinter extends ArcanistLinter {
    $options = $this->getPyFlakesOptions();
    $f = new ExecFuture(
-          "/usr/bin/env PYTHONPATH=%s\$PYTHONPATH ".
+      '/usr/bin/env PYTHONPATH=%s$PYTHONPATH %s %C',
-            "{$pyflakes_bin} {$options}", $python_path);
+      $python_path,
      $pyflakes_bin,
      $options);
    $f->write($this->getData($path));
    try {
--- a/src/lint/linter/ArcanistPyLintLinter.php
+++ b/src/lint/linter/ArcanistPyLintLinter.php
@ -206,9 +206,11 @@ final class ArcanistPyLintLinter extends ArcanistLinter {
    try {
      list($stdout, $_) = execx(
-          "/usr/bin/env PYTHONPATH=%s\$PYTHONPATH ".
+        '/usr/bin/env PYTHONPATH=%s$PYTHONPATH %s %C %s',
-            "{$pylint_bin} {$options} {$path_on_disk}",
+        $python_path,
-          $python_path);
+        $pylint_bin,
        $options,
        $path_on_disk);
    } catch (CommandException $e) {
      if ($e->getError() == 32) {
        // According to ##man pylint## the exit status of 32 means there was a
--- a/src/parser/ArcanistBaseCommitParser.php
+++ b/src/parser/ArcanistBaseCommitParser.php
@ -157,7 +157,7 @@ final class ArcanistBaseCommitParser {
        $matches = null;
        if (preg_match('/^exec\((.*)\)$/', $name, $matches)) {
          $root = $this->api->getWorkingCopyIdentity()->getProjectRoot();
-          $future = new ExecFuture($matches[1]);
+          $future = new ExecFuture('%C', $matches[1]);
          $future->setCWD($root);
          list($err, $stdout) = $future->resolve();
          if (!$err) {
--- a/src/parser/ArcanistBundle.php
+++ b/src/parser/ArcanistBundle.php
@ -101,17 +101,15 @@ final class ArcanistBundle {
    $path = Filesystem::resolvePath($path);
    $future = new ExecFuture(
-      csprintf(
+      'tar tfO %s',
-        'tar tfO %s',
+      $path);
        $path));
    list($stdout, $file_list) = $future->resolvex();
    $file_list = explode("\n", trim($file_list));
    if (in_array('meta.json', $file_list)) {
      $future = new ExecFuture(
-        csprintf(
+        'tar xfO %s meta.json',
-          'tar xfO %s meta.json',
+        $path);
          $path));
      $meta_info = $future->resolveJSON();
      $version       = idx($meta_info, 'version', 0);
      $project_name  = idx($meta_info, 'projectName');
@ -130,9 +128,8 @@ final class ArcanistBundle {
    }
    $future = new ExecFuture(
-      csprintf(
+      'tar xfO %s changes.json',
-        'tar xfO %s changes.json',
+      $path);
        $path));
    $changes = $future->resolveJSON();
    foreach ($changes as $change_key => $change) {
--- a/src/workflow/ArcanistAnoidWorkflow.php
+++ b/src/workflow/ArcanistAnoidWorkflow.php
@ -25,8 +25,8 @@ EOTEXT
  public function run() {
    phutil_passthru(
-      dirname(phutil_get_library_root('arcanist')) . '/scripts/breakout.py'
+      '%s/scripts/breakout.py',
-    );
+      dirname(phutil_get_library_root('arcanist')));
  }
 }
--- a/src/workflow/ArcanistDiffWorkflow.php
+++ b/src/workflow/ArcanistDiffWorkflow.php
@ -868,7 +868,7 @@ EOTEXT
        fwrite(STDERR, "Reading diff from stdin...\n");
        $raw_diff = file_get_contents('php://stdin');
      } else if ($this->getArgument('raw-command')) {
-        list($raw_diff) = execx($this->getArgument('raw-command'));
+        list($raw_diff) = execx('%C', $this->getArgument('raw-command'));
      } else {
        throw new Exception("Unknown raw diff source.");
      }