Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shell-escape supplied Subversion credentials #2017

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

shell-escape supplied Subversion credentials #2017

wants to merge 3 commits into from

Conversation

joshpencheon
Copy link

@joshpencheon joshpencheon commented May 13, 2019
edited

Summary

Previously, if svn_username or svn_password contained e.g. whitespace, the SCM commands would fail.
This PR uses the shellwords library (part of stdlib) to properly escape them.

Short checklist

  • Did you run bundle exec rubocop -a to fix linter issues?
  • If relevant, did you create a test?
  • Did you confirm that the RSpec tests pass?
  • If you are fixing a bug or introducing a new feature, did you add a CHANGELOG entry?

@joshpencheon
shell-escape supplied Subversion credentials
359da62 
Previously, if username or password contained e.g. whitespace, the commands would fail
@joshpencheon
Add CHANGELOG entry
368f43c
@joshpencheon
restore placeholder to changelog
ada7768
@leehambley
Copy link
Member

hi @joshpencheon thanks for your submission. Can you tell me a bit more about whats going on here and if you have any idea why now, 6 years (!!) after we wrote the code is now a good time to change it.

I'd suspect SVN isn't exercised very much and you have unusual chars in your password, but I'd like to verify those assumptions before acting.

Thanks!

@joshpencheon
Copy link
Author

Dear @leehambley,

Thanks for taking a look. We're still using a private SVN repository for many of our codebases. Almost all of our projects are still using Capistrano 2 for other reasons, a recent one has finally (!) made the switch to Capistrano 3. With this came the switch to having a checkout of the repository on the target machine, rather than the client machine, which is why only now are we sending SCM credentials through Capistrano.

We found that some staff were able to deploy the project, and others couldn't. Upon taking the hood up, I realised these parameters are passed through without shell escaping, and sshkit does not escape them either. It then transpired that the staff members having problems had spaces in their SVN passwords.

Thanks,
Josh

@leehambley
Copy link
Member

I'm happy to take a patch, but we're not due a release for some time.

Have you considered using something like https://stackoverflow.com/questions/3985983/how-can-i-checkout-password-protected-subversion-repositories-with-bitbake ?

That has its drawbacks, but may simplify the svn repo <--> server part of your authentication/authorization story?

@joshpencheon
Copy link
Author

Thanks for the pointer, @leehambley - we've got a workaround at the point where we feed credentials i in to Capistrano, so we're set for the time being.

I can only hypothesise why this issue hasn't been reported before, but including this patch in the next scheduled release would be much appreciated :)

@will-in-wi
Copy link
Contributor

Hey @leehambley this makes sense to me. Any concerns with merging it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@will-in-wi will-in-wi will-in-wi approved these changes

@leehambley leehambley Awaiting requested review from leehambley

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joshpencheon @leehambley @will-in-wi