Merge pull request #105 from Masterminds/moar-fixes

Moar fixes

Author: mattfarina

CHANGELOG.md

@@ -1,9 +1,10 @@
 # Changelog
 
-## 1.13.1 (2022-03-xx)
+## 1.13.2 (2022-03-30)
 
 ### Fixed
 
+- Fix for CVE-2022-21235
 - #103: Fixed CI testing. This included moving to GitHub Actions, updating the
   the Git submodule handling, and skipping bzr tests on Windows (bzr has
   discontinued and the installer now installs a broken environment)

bzr.go

@@ -80,7 +80,7 @@ func (s *BzrRepo) Get() error {
 		}
 	}
 
-	out, err := s.run("bzr", "branch", s.Remote(), s.LocalPath())
+	out, err := s.run("bzr", "branch", "--", s.Remote(), s.LocalPath())
 	if err != nil {
 		return NewRemoteError("Unable to get repository", err, string(out))
 	}
@@ -90,7 +90,7 @@ func (s *BzrRepo) Get() error {
 
 // Init initializes a bazaar repository at local location.
 func (s *BzrRepo) Init() error {
-	out, err := s.run("bzr", "init", s.LocalPath())
+	out, err := s.run("bzr", "init", "--", s.LocalPath())
 
 	// There are some windows cases where bazaar cannot create the parent
 	// directory if it does not already exist, to the location it's trying
@@ -104,7 +104,7 @@ func (s *BzrRepo) Init() error {
 				return NewLocalError("Unable to initialize repository", err, "")
 			}
 
-			out, err = s.run("bzr", "init", s.LocalPath())
+			out, err = s.run("bzr", "init", "--", s.LocalPath())
 			if err != nil {
 				return NewLocalError("Unable to initialize repository", err, string(out))
 			}
@@ -310,13 +310,13 @@ func (s *BzrRepo) Ping() bool {
 
 	// This is the same command that Go itself uses but it's not fast (or fast
 	// enough by my standards). A faster method would be useful.
-	_, err = s.run("bzr", "info", s.Remote())
+	_, err = s.run("bzr", "info", "--", s.Remote())
 	return err == nil
 }
 
 // ExportDir exports the current revision to the passed in directory.
 func (s *BzrRepo) ExportDir(dir string) error {
-	out, err := s.RunFromDir("bzr", "export", dir)
+	out, err := s.RunFromDir("bzr", "export", "--", dir)
 	s.log(out)
 	if err != nil {
 		return NewLocalError("Unable to export source", err, string(out))

git.go

@@ -71,7 +71,7 @@ func (s GitRepo) Vcs() Type {
 
 // Get is used to perform an initial clone of a repository.
 func (s *GitRepo) Get() error {
-	out, err := s.run("git", "clone", "--recursive", s.Remote(), s.LocalPath())
+	out, err := s.run("git", "clone", "--recursive", "--", s.Remote(), s.LocalPath())
 
 	// There are some windows cases where Git cannot create the parent directory,
 	// if it does not already exist, to the location it's trying to create the
@@ -85,7 +85,7 @@ func (s *GitRepo) Get() error {
 				return NewLocalError("Unable to create directory", err, "")
 			}
 
-			out, err = s.run("git", "clone", s.Remote(), s.LocalPath())
+			out, err = s.run("git", "clone", "--recursive", "--", s.Remote(), s.LocalPath())
 			if err != nil {
 				return NewRemoteError("Unable to get repository", err, string(out))
 			}
@@ -101,7 +101,7 @@ func (s *GitRepo) Get() error {
 
 // Init initializes a git repository at local location.
 func (s *GitRepo) Init() error {
-	out, err := s.run("git", "init", s.LocalPath())
+	out, err := s.run("git", "init", "--", s.LocalPath())
 
 	// There are some windows cases where Git cannot create the parent directory,
 	// if it does not already exist, to the location it's trying to create the
@@ -115,7 +115,7 @@ func (s *GitRepo) Init() error {
 				return NewLocalError("Unable to initialize repository", err, "")
 			}
 
-			out, err = s.run("git", "init", s.LocalPath())
+			out, err = s.run("git", "init", "--", s.LocalPath())
 			if err != nil {
 				return NewLocalError("Unable to initialize repository", err, string(out))
 			}
@@ -132,7 +132,7 @@ func (s *GitRepo) Init() error {
 // Update performs an Git fetch and pull to an existing checkout.
 func (s *GitRepo) Update() error {
 	// Perform a fetch to make sure everything is up to date.
-	out, err := s.RunFromDir("git", "fetch", "--tags", s.RemoteLocation)
+	out, err := s.RunFromDir("git", "fetch", "--tags", "--", s.RemoteLocation)
 	if err != nil {
 		return NewRemoteError("Unable to update repository", err, string(out))
 	}

hg.go

@@ -72,7 +72,7 @@ func (s HgRepo) Vcs() Type {
 
 // Get is used to perform an initial clone of a repository.
 func (s *HgRepo) Get() error {
-	out, err := s.run("hg", "clone", s.Remote(), s.LocalPath())
+	out, err := s.run("hg", "clone", "--", s.Remote(), s.LocalPath())
 	if err != nil {
 		return NewRemoteError("Unable to get repository", err, string(out))
 	}
@@ -81,7 +81,7 @@ func (s *HgRepo) Get() error {
 
 // Init will initialize a mercurial repository at local location.
 func (s *HgRepo) Init() error {
-	out, err := s.run("hg", "init", s.LocalPath())
+	out, err := s.run("hg", "init", "--", s.LocalPath())
 	if err != nil {
 		return NewLocalError("Unable to initialize repository", err, string(out))
 	}
@@ -100,7 +100,7 @@ func (s *HgRepo) UpdateVersion(version string) error {
 		return NewLocalError("Unable to update checked out version", err, string(out))
 	}
 	if len(strings.TrimSpace(version)) > 0 {
-		out, err = s.RunFromDir("hg", "update", version)
+		out, err = s.RunFromDir("hg", "update", "--", version)
 	} else {
 		out, err = s.RunFromDir("hg", "update")
 	}
@@ -310,14 +310,14 @@ func (s *HgRepo) TagsFromCommit(id string) ([]string, error) {
 
 // Ping returns if remote location is accessible.
 func (s *HgRepo) Ping() bool {
-	_, err := s.run("hg", "identify", s.Remote())
+	_, err := s.run("hg", "identify", "--", s.Remote())
 	return err == nil
 }
 
 // ExportDir exports the current revision to the passed in directory.
 func (s *HgRepo) ExportDir(dir string) error {
 
-	out, err := s.RunFromDir("hg", "archive", dir)
+	out, err := s.RunFromDir("hg", "archive", "--", dir)
 	s.log(out)
 	if err != nil {
 		return NewLocalError("Unable to export source", err, string(out))

svn.go

@@ -37,7 +37,7 @@ func NewSvnRepo(remote, local string) (*SvnRepo, error) {
 	if err == nil && r.CheckLocal() {
 		// An SVN repo was found so test that the URL there matches
 		// the repo passed in here.
-		out, err := exec.Command("svn", "info", local).CombinedOutput()
+		out, err := exec.Command("svn", "info", "--", local).CombinedOutput()
 		if err != nil {
 			return nil, NewLocalError("Unable to retrieve local repo information", err, string(out))
 		}
@@ -80,7 +80,7 @@ func (s *SvnRepo) Get() error {
 	} else if runtime.GOOS == "windows" && filepath.VolumeName(remote) != "" {
 		remote = "file:///" + remote
 	}
-	out, err := s.run("svn", "checkout", remote, s.LocalPath())
+	out, err := s.run("svn", "checkout", "--", remote, s.LocalPath())
 	if err != nil {
 		return NewRemoteError("Unable to get repository", err, string(out))
 	}
@@ -341,14 +341,14 @@ func (s *SvnRepo) TagsFromCommit(id string) ([]string, error) {
 
 // Ping returns if remote location is accessible.
 func (s *SvnRepo) Ping() bool {
-	_, err := s.run("svn", "--non-interactive", "info", s.Remote())
+	_, err := s.run("svn", "--non-interactive", "info", "--", s.Remote())
 	return err == nil
 }
 
 // ExportDir exports the current revision to the passed in directory.
 func (s *SvnRepo) ExportDir(dir string) error {
 
-	out, err := s.RunFromDir("svn", "export", ".", dir)
+	out, err := s.RunFromDir("svn", "export", "--", ".", dir)
 	s.log(out)
 	if err != nil {
 		return NewLocalError("Unable to export source", err, string(out))