Auto merge of #5297 - bundler:seg-git-branch-hash, r=indirect

[GitProxy] Support branches containing shell metacharacters Closes #5295 (cherry picked from commit 084cbc72c7bb10977fe5826c299e662f8b0fd8b9)
author: The Bundler Bot <bot@bundler.io> 2017-01-05 23:09:33 +0000
committer: Samuel Giddins <segiddins@segiddins.me> 2017-01-11 14:28:41 -0600
commit: b89e37457d220d1d43052ac5f37f3d2070bf1f7a (patch)
tree: b3ce3c1da6bd358819cba9b6c3b0fefc66ac71b4
parent: 438c2b17c53feff705f0a21f6edf6436c9f9a4d3 (diff)
download: bundler-b89e37457d220d1d43052ac5f37f3d2070bf1f7a.tar.gz
3 files changed, 96 insertions, 5 deletions
diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb
index c44f00d7b1..e9b9c4dbe4 100644
--- a/lib/bundler/source/git/git_proxy.rb
+++ b/lib/bundler/source/git/git_proxy.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+require "shellwords"
 require "tempfile"
 module Bundler
   class Source
@@ -180,7 +181,7 @@ module Bundler
 
         def find_local_revision
           allowed_in_path do
-            git("rev-parse --verify #{ref}", true).strip
+            git("rev-parse --verify #{Shellwords.shellescape(ref)}", true).strip
           end
         end
 
diff --git a/spec/install/gemfile/git_spec.rb b/spec/install/gemfile/git_spec.rb
index 85a7693b5a..aa5ca7cfef 100644
--- a/spec/install/gemfile/git_spec.rb
+++ b/spec/install/gemfile/git_spec.rb
@@ -209,6 +209,94 @@ describe "bundle install with git sources" do
     end
   end
 
+  describe "when specifying a branch" do
+    let(:branch) { "branch" }
+    let(:repo) { build_git("foo").path }
+    before(:each) do
+      update_git("foo", :path => repo, :branch => branch)
+    end
+
+    it "works" do
+      install_gemfile <<-G
+        git "#{repo}", :branch => #{branch.dump} do
+          gem "foo"
+        end
+      G
+
+      expect(the_bundle).to include_gems("foo 1.0")
+    end
+
+    context "when the branch starts with a `#`" do
+      let(:branch) { "#149/redirect-url-fragment" }
+      it "works" do
+        install_gemfile <<-G
+          git "#{repo}", :branch => #{branch.dump} do
+            gem "foo"
+          end
+        G
+
+        expect(the_bundle).to include_gems("foo 1.0")
+      end
+    end
+
+    context "when the branch includes quotes" do
+      let(:branch) { %('") }
+      it "works" do
+        install_gemfile <<-G
+          git "#{repo}", :branch => #{branch.dump} do
+            gem "foo"
+          end
+        G
+
+        expect(the_bundle).to include_gems("foo 1.0")
+      end
+    end
+  end
+
+  describe "when specifying a tag" do
+    let(:tag) { "tag" }
+    let(:repo) { build_git("foo").path }
+    before(:each) do
+      update_git("foo", :path => repo, :tag => tag)
+    end
+
+    it "works" do
+      install_gemfile <<-G
+        git "#{repo}", :tag => #{tag.dump} do
+          gem "foo"
+        end
+      G
+
+      expect(the_bundle).to include_gems("foo 1.0")
+    end
+
+    context "when the tag starts with a `#`" do
+      let(:tag) { "#149/redirect-url-fragment" }
+      it "works" do
+        install_gemfile <<-G
+          git "#{repo}", :tag => #{tag.dump} do
+            gem "foo"
+          end
+        G
+
+        expect(the_bundle).to include_gems("foo 1.0")
+      end
+    end
+
+    context "when the tag includes quotes" do
+      let(:tag) { %('") }
+      it "works" do
+        install_gemfile <<-G
+          git "#{repo}", :tag => #{tag.dump} do
+            gem "foo"
+          end
+        G
+
+        expect(the_bundle).to include_gems("foo 1.0")
+      end
+    end
+  end
+
   describe "when specifying local override" do
     it "uses the local repository instead of checking a new one out" do
       # We don't generate it because we actually don't need it
diff --git a/spec/support/builders.rb b/spec/support/builders.rb
index 0b660f12f5..bda808c0b2 100644
--- a/spec/support/builders.rb
+++ b/spec/support/builders.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 require "bundler/shared_helpers"
+require "shellwords"
 
 module Spec
   module Builders
@@ -664,14 +665,15 @@ module Spec
 
           if branch = options[:branch]
             raise "You can't specify `master` as the branch" if branch == "master"
+            escaped_branch = Shellwords.shellescape(branch)
 
-            if `git branch | grep #{branch}`.empty?
-              silently("git branch #{branch}")
+            if `git branch | grep #{escaped_branch}`.empty?
+              silently("git branch #{escaped_branch}")
             end
 
-            silently("git checkout #{branch}")
+            silently("git checkout #{escaped_branch}")
           elsif tag = options[:tag]
-            `git tag #{tag}`
+            `git tag #{Shellwords.shellescape(tag)}`
           elsif options[:remote]
             silently("git remote add origin file://#{options[:remote]}")
           elsif options[:push]
author	The Bundler Bot <bot@bundler.io>	2017-01-05 23:09:33 +0000
committer	Samuel Giddins <segiddins@segiddins.me>	2017-01-11 14:28:41 -0600
commit	b89e37457d220d1d43052ac5f37f3d2070bf1f7a (patch)
tree	b3ce3c1da6bd358819cba9b6c3b0fefc66ac71b4
parent	438c2b17c53feff705f0a21f6edf6436c9f9a4d3 (diff)
download	bundler-b89e37457d220d1d43052ac5f37f3d2070bf1f7a.tar.gz