Merge pull request #5142 from rubygems/local_code_execution

deivid-rodriguez · deivid-rodriguez · commit 7fa670740d80 · 2021-12-07T15:34:47.000+01:00
Pass "--" to git commands to separate positional and optional args (cherry picked from commit 6a655a6)
diff --git a/bundler/lib/bundler/source/git/git_proxy.rb b/bundler/lib/bundler/source/git/git_proxy.rb
@@ -95,12 +95,12 @@ def checkout
             SharedHelpers.filesystem_access(path.dirname) do |p|
               FileUtils.mkdir_p(p)
             end
-            git_retry "clone", configured_uri, path.to_s, "--bare", "--no-hardlinks", "--quiet"
+            git_retry "clone", "--bare", "--no-hardlinks", "--quiet", "--", configured_uri, path.to_s
             return unless extra_ref
           end
 
           with_path do
-            git_retry(*["fetch", "--force", "--quiet", "--tags", configured_uri, "refs/heads/*:refs/heads/*", extra_ref].compact, :dir => path)
+            git_retry(*["fetch", "--force", "--quiet", "--tags", "--", configured_uri, "refs/heads/*:refs/heads/*", extra_ref].compact, :dir => path)
           end
         end
 
diff --git a/bundler/spec/bundler/source/git/git_proxy_spec.rb b/bundler/spec/bundler/source/git/git_proxy_spec.rb
@@ -11,21 +11,21 @@
   context "with configured credentials" do
     it "adds username and password to URI" do
       Bundler.settings.temporary(uri => "u:p") do
-        expect(subject).to receive(:git_retry).with("clone", "https://u:p@github.com/rubygems/rubygems.git", any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", "https://u:p@github.com/rubygems/rubygems.git", path.to_s)
         subject.checkout
       end
     end
 
     it "adds username and password to URI for host" do
       Bundler.settings.temporary("github.com" => "u:p") do
-        expect(subject).to receive(:git_retry).with("clone", "https://u:p@github.com/rubygems/rubygems.git", any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", "https://u:p@github.com/rubygems/rubygems.git", path.to_s)
         subject.checkout
       end
     end
 
     it "does not add username and password to mismatched URI" do
       Bundler.settings.temporary("https://u:p@github.com/rubygems/rubygems-mismatch.git" => "u:p") do
-        expect(subject).to receive(:git_retry).with("clone", uri, any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", uri, path.to_s)
         subject.checkout
       end
     end
@@ -34,7 +34,7 @@
       Bundler.settings.temporary("github.com" => "u:p") do
         original = "https://orig:info@github.com/rubygems/rubygems.git"
         subject = described_class.new(Pathname("path"), original, "HEAD")
-        expect(subject).to receive(:git_retry).with("clone", original, any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", original, path.to_s)
         subject.checkout
       end
     end
@@ -148,4 +148,24 @@
       end
     end
   end
+
+  it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do
+    gemfile <<~G
+      gem "poc", git: "-u./pay:load.sh"
+    G
+
+    file = bundled_app("pay:load.sh")
+
+    create_file file, <<~RUBY
+      #!/bin/sh
+
+      touch #{bundled_app("canary")}
+    RUBY
+
+    FileUtils.chmod("+x", file)
+
+    bundle :lock, :raise_on_error => false
+
+    expect(Pathname.new(bundled_app("canary"))).not_to exist
+  end
 end
