Merge remote-tracking branch 'origin/master' into kpaulisse-validate-references-alias

Kevin Paulisse · Kevin Paulisse · commit 9185848fac10 · 2017-01-02T10:25:24.000-06:00
diff --git a/lib/octocatalog-diff/catalog-util/command.rb b/lib/octocatalog-diff/catalog-util/command.rb
@@ -115,13 +115,24 @@ def override_and_append_commandline_with_user_supplied_arguments(cmdline)
           unless opt =~ /\A--([^=\s]+)(=.+)?\z/
             raise ArgumentError, "Command line option '#{opt}' does not match format '--SOME_OPTION=SOME_VALUE'"
           end
-          key = Shellwords.escape(Regexp.last_match(1))
+          key = Regexp.last_match(1)
           val = Regexp.last_match(2)
-          val.sub!(/\A=/, '') if val.is_a?(String)
+
+          # The key should not contain any shell metacharacters. Ensure that this is the case.
+          unless key == Shellwords.escape(key)
+            raise ArgumentError, "Command line option '#{key}' is invalid."
+          end
+
+          # If val is nil, then it's a '--key' argument. Else, it's a '--key=value' argument. Escape
+          # the value to ensure it do not break the shell interpretation.
+          new_setting = if val.nil?
+            "--#{key}"
+          else
+            "--#{key}=#{Shellwords.escape(val.sub(/\A=/, ''))}"
+          end
 
           # Determine if command line already contains this setting. If yes, the setting provided
           # here should override. If no, then append to the commandline.
-          new_setting = val.nil? ? "--#{key}" : "--#{key}=#{Shellwords.escape(val)}"
           ind = key_position(cmdline, key)
           if ind.nil?
             cmdline << new_setting
diff --git a/spec/octocatalog-diff/tests/catalog-util/command_spec.rb b/spec/octocatalog-diff/tests/catalog-util/command_spec.rb
@@ -153,6 +153,18 @@
   end
 
   describe '#override_and_append_commandline_with_user_supplied_arguments' do
+    context 'with invalid key' do
+      it 'should raise ArgumentError' do
+        described_object = described_class.allocate
+        cmdline = ['--foo', '--bar=baz']
+        test_cmdline = ['--foo$bar']
+        described_object.instance_variable_set('@options', command_line: test_cmdline)
+        expect do
+          described_object.send(:override_and_append_commandline_with_user_supplied_arguments, cmdline)
+        end.to raise_error(ArgumentError, /Command line option 'foo\$bar' is invalid/)
+      end
+    end
+
     context 'with standalone key' do
       context 'when not existing' do
         it 'should append standalone key' do
