chef-dev - [chef-dev] Re: gem_package (and shellout generally) on windows

Subscribers: 756
Owners
Adam Jacob
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

Chef Developers

[chef-dev] Re: gem_package (and shellout generally) on windows

From: Holger Just < >
To: Chef Dev < >
Subject: [chef-dev] Re: gem_package (and shellout generally) on windows
Date: Fri, 02 Nov 2012 09:18:43 +0100

Hi Joseph,

On 2012-11-02 04:15, Joseph Holsten wrote:
> But shellout isn't quoting or escaping (correctly?). I just tried
> looking at mixlib-shellout/lib/mixlib/shellout/windows.rb, but
> clearly I'm out of my depth trying to grok win32/process.
>
> https://github.com/opscode/chef/blob/master/lib/chef/provider/package/rubygems.rb#L505
>
> Should that command be quoted before it gets to shellout?
> Should whitespace be escaped instead? Should shellout handle it
> transparently?

Unfortunately, you can't just quote any whitespace you find in
shell_out! anymore as you can't know which space should be quoted
(inside the paths) and which shouldn't (between arguments).

I personally see two usable alternatives for actually fixing that:

1) You state in the documentation that every variable part of a shelled
out command should be quoted by the user. For Linux, you could use the
builtin Shellwords.escape [1] which escapes strings for the Bourne
shell. I'm sure there is a similar module for the Windows shell
somewhere. This change then would need to be applied in every invocation
of that method.

2) You extend the shell_out! method (and all similar ones) to optionally
accept an Array as the first argument instead of a String. Each element
in that array would represent a distinguished argument (including the
actual executable). Inside shell_out! you can then individually quote
each argument and safely concat them for execution. That way, each
consumer of the function can use it in a way to make it much more safe
without having to reason about quotes on each and every invocation.

While I'd tremendously prefer the second option, it has a tiny little
downside as it would still require some thoughts about how to handle
pipes (though I honestly don't know if it is supported right now at all)

As a source of inspiration, I'd like to point to the cocaine gem [2]
which nicely encapsulates shell outs and handles the basic case in just
a few lines of code.

--Holger

[1]
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/shellwords/rdoc/Shellwords.html
[2] https://github.com/thoughtbot/cocaine

[chef-dev] gem_package (and shellout generally) on windows, Joseph Holsten, 11/01/2012
- [chef-dev] Re: gem_package (and shellout generally) on windows, Holger Just, 11/02/2012
  - [chef-dev] Re: Re: gem_package (and shellout generally) on windows, Daniel DeLeo, 11/02/2012
    - [chef-dev] Re: Re: Re: gem_package (and shellout generally) on windows, Holger Just, 11/02/2012