Construct temporary copy of script to execute

Kevin Paulisse · Kevin Paulisse · commit 49e3484b67f4 · 2017-03-31T09:34:29.000-04:00
diff --git a/lib/octocatalog-diff/util/scriptrunner.rb b/lib/octocatalog-diff/util/scriptrunner.rb
@@ -5,6 +5,7 @@
 require 'fileutils'
 require 'open3'
 require 'shellwords'
+require 'tempfile'
 
 module OctocatalogDiff
   module Util
@@ -13,7 +14,7 @@ class ScriptRunner
       # For an exception running the script
       class ScriptException < RuntimeError; end
 
-      attr_reader :script, :logger, :stdout, :stderr, :exitcode
+      attr_reader :script, :script_src, :logger, :stdout, :stderr, :exitcode
 
       # Create the object - the object is a configured script, which can be executed multiple
       # times with different environment varibles.
@@ -24,7 +25,8 @@ class ScriptException < RuntimeError; end
       #   opts[:override_script_path] (Optional) Directory where a similarly-named script MAY exist
       def initialize(opts = {})
         @logger = opts.fetch(:logger)
-        @script = find_script(opts.fetch(:default_script), opts[:override_script_path])
+        @script_src = find_script(opts.fetch(:default_script), opts[:override_script_path])
+        @script = temp_script(@script_src)
         @stdout = nil
         @stderr = nil
         @exitcode = nil
@@ -48,7 +50,7 @@ def run(opts = {})
         env['PWD'] = working_dir
         env['PATH'] ||= ENV['PATH']
 
-        cmdline = [@script, argv].flatten.compact.map { |x| Shellwords.escape(x) }.join(' ')
+        cmdline = [script, argv].flatten.compact.map { |x| Shellwords.escape(x) }.join(' ')
         @logger.debug "Execute: #{cmdline}"
 
         @stdout, @stderr, status = Open3.capture3(env, cmdline, unsetenv_others: true, chdir: working_dir)
@@ -62,6 +64,24 @@ def run(opts = {})
 
       private
 
+      # PRIVATE: Create a temporary file with the contents of the script and mark the script executable.
+      # This is to avoid changing ownership or permissions on any user-supplied file.
+      #
+      # @param script [String] Path to script
+      # @return [String] Path to tempfile containing script
+      def temp_script(script)
+        unless File.file?(script)
+          raise Errno::ENOENT, "Script '#{script}' not found"
+        end
+        script_name, extension = script.split('.', 2)
+        tempfile = ::Tempfile.new([File.basename(script_name), ".#{extension}"])
+        tempfile.write(File.read(script))
+        tempfile.close
+        FileUtils.chmod 0o755, tempfile.path
+        at_exit { FileUtils.rm_f tempfile.path }
+        tempfile.path
+      end
+
       # PRIVATE: Determine the path to the script to execute, taking into account the default script
       # location and the optional override script path.
       #
diff --git a/spec/octocatalog-diff/tests/util/scriptrunner_spec.rb b/spec/octocatalog-diff/tests/util/scriptrunner_spec.rb
@@ -27,7 +27,7 @@
         logger: @logger
       }
       obj = described_class.new(opts)
-      expect(obj.script).to eq(__FILE__)
+      expect(obj.script_src).to eq(__FILE__)
       expect(@logger_str.string).to match(/Selecting.+scriptrunner_spec.rb from override script path/)
     end
 
@@ -40,7 +40,7 @@
       }
       obj = described_class.new(opts)
       answer = File.expand_path('../../../../scripts/env/env.sh', File.dirname(__FILE__))
-      expect(obj.script).to eq(answer)
+      expect(obj.script_src).to eq(answer)
       expect(@logger_str.string).to match(/Did not find.+env.sh in override script path/)
     end
 
@@ -52,7 +52,7 @@
       }
       obj = described_class.new(opts)
       answer = File.expand_path('../../../../scripts/env/env.sh', File.dirname(__FILE__))
-      expect(obj.script).to eq(answer)
+      expect(obj.script_src).to eq(answer)
       expect(@logger_str.string).to eq('')
     end
   end
@@ -90,5 +90,36 @@
       expect(@described_obj.stderr).to eq(stderr)
       expect(@described_obj.exitcode).to eq(42)
     end
+
+    context 'testing the environment' do
+      before(:each) do
+        ENV['THIS_SHOULD_NOT_BE_PASSED'] = 'foo'
+      end
+
+      after(:each) do
+        ENV.delete('THIS_SHOULD_NOT_BE_PASSED')
+      end
+
+      it 'should set only the defined environment' do
+        opts = {
+          :working_dir  => File.dirname(__FILE__),
+          :argv         => %w(foo bar),
+          'HELLO_WORLD' => 'booyah'
+        }
+        result = @described_obj.run(opts)
+        expect(result).to match(/HELLO_WORLD=booyah/)
+
+        env_home = Regexp.escape(ENV['HOME'])
+        expect(result).to match(/HOME=#{env_home}/)
+
+        env_path = Regexp.escape(ENV['PATH'])
+        expect(result).to match(/PATH=#{env_path}/)
+
+        env_pwd = Regexp.escape(opts[:working_dir])
+        expect(result).to match(/PWD=#{env_pwd}/)
+
+        expect(result).not_to match(/THIS_SHOULD_NOT_BE_PASSED/)
+      end
+    end
   end
 end
