From 0432bdf19eb3483e109582832a36dc7a3601a384 Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Tue, 25 Feb 2014 11:57:42 +0100
Subject: [PATCH] Change Gitlab::Popen to use arrays for commands

---
 lib/gitlab/popen.rb           |  9 +++++++--
 spec/lib/gitlab/popen_spec.rb | 11 +++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/lib/gitlab/popen.rb b/lib/gitlab/popen.rb
index 5283cf0b821..d10269f4438 100644
--- a/lib/gitlab/popen.rb
+++ b/lib/gitlab/popen.rb
@@ -1,8 +1,13 @@
 require 'fileutils'
+require 'open3'
 
 module Gitlab
   module Popen
     def popen(cmd, path)
+      unless cmd.is_a?(Array)
+        raise "System commands must be given as an array of strings"
+      end
+
       vars = { "PWD" => path }
       options = { chdir: path }
 
@@ -12,10 +17,10 @@ module Gitlab
 
       @cmd_output = ""
       @cmd_status = 0
-      Open3.popen3(vars, cmd, options) do |stdin, stdout, stderr, wait_thr|
-        @cmd_status = wait_thr.value.exitstatus
+      Open3.popen3(vars, *cmd, options) do |stdin, stdout, stderr, wait_thr|
         @cmd_output << stdout.read
         @cmd_output << stderr.read
+        @cmd_status = wait_thr.value.exitstatus
       end
 
       return @cmd_output, @cmd_status
diff --git a/spec/lib/gitlab/popen_spec.rb b/spec/lib/gitlab/popen_spec.rb
index 4791be41613..a4a0846b7b9 100644
--- a/spec/lib/gitlab/popen_spec.rb
+++ b/spec/lib/gitlab/popen_spec.rb
@@ -10,7 +10,7 @@ describe 'Gitlab::Popen', no_db: true do
 
   context 'zero status' do
     before do
-      @output, @status = @klass.new.popen('ls', path)
+      @output, @status = @klass.new.popen(%W(ls), path)
     end
 
     it { @status.should be_zero }
@@ -19,11 +19,18 @@ describe 'Gitlab::Popen', no_db: true do
 
   context 'non-zero status' do
     before do
-      @output, @status = @klass.new.popen('cat NOTHING', path)
+      @output, @status = @klass.new.popen(%W(cat NOTHING), path)
     end
 
     it { @status.should == 1 }
     it { @output.should include('No such file or directory') }
   end
+
+  context 'unsafe string command' do
+    it 'raises an error when it gets called with a string argument' do
+      expect { @klass.new.popen('ls', path) }.to raise_error
+    end
+  end
+
 end
 
-- 
GitLab