Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden system calls to git #699

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 34 additions & 12 deletions autoload/vundle/installer.vim
Original file line number Diff line number Diff line change
Expand Up @@ -343,8 +343,7 @@ endf
" return -- the URL for the origin remote (string)
" ---------------------------------------------------------------------------
func! s:get_current_origin_url(bundle) abort
let cmd = 'cd '.vundle#installer#shellesc(a:bundle.path()).' && git config --get remote.origin.url'
let cmd = vundle#installer#shellesc_cd(cmd)
let cmd = s:make_git_command(a:bundle, ['config', '--get', 'remote.origin.url'])
let out = s:strip(s:system(cmd))
return out
endf
Expand All @@ -357,12 +356,37 @@ endf
" return -- A 15 character log sha for the current HEAD
" ---------------------------------------------------------------------------
func! s:get_current_sha(bundle)
let cmd = 'cd '.vundle#installer#shellesc(a:bundle.path()).' && git rev-parse HEAD'
let cmd = vundle#installer#shellesc_cd(cmd)
let cmd = s:make_git_command(a:bundle, ['rev-parse', 'HEAD'])
let out = s:system(cmd)[0:15]
return out
endf

" ---------------------------------------------------------------------------
" Build a safe (escaped) git command
"
" bundle -- A bundle object to get the path to the git dir
" args -- A list of arguments to the git executable
" return -- A string containing the escaped shell command
" ---------------------------------------------------------------------------
func! s:make_git_command(bundle, args) abort
let workdir = a:bundle.path()
let gitdir = workdir.'/.git/'

let git = ['git', '--git-dir='.gitdir, '--work-tree='.workdir]

return join(map(git + a:args, 'vundle#installer#shellesc(v:val)'))
endf

" ---------------------------------------------------------------------------
" Build a safe (escaped) command from list of git args
"
" bundle -- A bundle object to get the path to the git dir
" argss -- A list of lists of arguments to successive git calls
" return -- A string containing the escaped shell command
" ---------------------------------------------------------------------------
func! s:make_git_commands(bundle, argss) abort
return join(map(a:argss, 's:make_git_command(a:bundle, v:val)'), ' && ')
endf

" ---------------------------------------------------------------------------
" Create the appropriate sync command to run according to the current state of
Expand All @@ -388,14 +412,12 @@ func! s:make_sync_command(bang, bundle) abort
call s:log('> Plugin ' . a:bundle.name . ' new URI: ' . a:bundle.uri)
" Directory names match but the origin remotes are not the same
let cmd_parts = [
\ 'cd '.vundle#installer#shellesc(a:bundle.path()) ,
\ 'git remote set-url origin ' . vundle#installer#shellesc(a:bundle.uri),
\ 'git fetch',
\ 'git reset --hard origin/HEAD',
\ 'git submodule update --init --recursive',
\ ]
let cmd = join(cmd_parts, ' && ')
let cmd = vundle#installer#shellesc_cd(cmd)
\ [ 'remote', 'set-url', 'origin', a:bundle.uri ],
\ [ 'fetch' ],
\ [ 'reset', '--hard', 'origin/HEAD' ],
\ [ 'submodule', 'update', '--init', '--recursive' ]
\]
let cmd = s:make_git_commands(a:bundle, cmd_parts)
let initial_sha = ''
return [cmd, initial_sha]
endif
Expand Down
7 changes: 2 additions & 5 deletions autoload/vundle/scripts.vim
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,8 @@ func! s:create_changelog() abort
let updated_sha = bundle_data[1]
let bundle = bundle_data[2]

let cmd = 'cd '.vundle#installer#shellesc(bundle.path()).
\ ' && git log --pretty=format:"%s %an, %ar" --graph '.
\ initial_sha.'..'.updated_sha

let cmd = vundle#installer#shellesc_cd(cmd)
let cmd = s:make_git_command(bundle, ['log', '--pretty=format:"%s %an, %ar"',
\ '--graph', initial_sha.'..'.updated_sha ])

let updates = system(cmd)

Expand Down