Escape arguments correctly

Signed-off-by: Joas Schilling <coding@schilljs.com>

lib/Chat/Command/Executor.php

@@ -34,7 +34,7 @@ class Executor {
 	public const PLACEHOLDER_ROOM = '{ROOM}';
 	public const PLACEHOLDER_USER = '{USER}';
 	public const PLACEHOLDER_ARGUMENTS = '{ARGUMENTS}';
-
+	public const PLACEHOLDER_ARGUMENTS_DOUBLEQUOTE_ESCAPED = '{ARGUMENTS_DOUBLEQUOTE_ESCAPED}';
 
 	/** @var EventDispatcherInterface */
 	protected $dispatcher;
@@ -44,11 +44,11 @@ class Executor {
 	}
 
 	public function exec(Room $room, IComment $message, Command $command, string $arguments): void {
-		if ($command->getApp() !== '') {
-			$output = $this->execApp($room, $message, $command, $arguments);
-		} else if ($command->getCommand() === 'help') {
+		if ($command->getApp() === '' && $command->getCommand() === 'help') {
 			$output = $this->execHelp($room, $message, $command, $arguments);
-		} else {
+		} else if ($command->getApp() !== '') {
+			$output = $this->execApp($room, $message, $command, $arguments);
+		} else  {
 			$output = $this->execShell($room, $message, $command, $arguments);
 		}
 
@@ -62,24 +62,29 @@ class Executor {
 		$message->setVerb('command');
 	}
 
-	protected function execApp(Room $room, IComment $message, Command $command, string $arguments): string {
-		$output = '';
-
-		$this->dispatcher->dispatch(self::class . '::execApp', new GenericEvent($command, [
-			'room' => $room,
-			'message' => $message,
-			'arguments' => $arguments,
-			'output' => $output,
-		]));
-
-		return $output;
-	}
-
 	protected function execHelp(Room $room, IComment $message, Command $command, string $arguments): string {
 		// FIXME Implement a useful help
 		return $arguments;
 	}
 
+	protected function execApp(Room $room, IComment $message, Command $command, string $arguments): string {
+		$event = $this->createEvent($command);
+		$event->setArguments([
+			'room' => $room,
+			'message' => $message,
+			'arguments' => $arguments,
+			'output' => '',
+		]);
+
+		$this->dispatcher->dispatch(self::class . '::execApp', $event);
+
+		return (string) $event->getArgument('output');
+	}
+
+	protected function createEvent(Command $command): GenericEvent {
+		return new GenericEvent($command);
+	}
+
 	protected function execShell(Room $room, IComment $message, Command $command, string $arguments): string {
 		$user = $message->getActorType() === 'users' ? $message->getActorId() : '';
 
@@ -87,15 +92,58 @@ class Executor {
 			self::PLACEHOLDER_ROOM,
 			self::PLACEHOLDER_USER,
 			self::PLACEHOLDER_ARGUMENTS,
+			self::PLACEHOLDER_ARGUMENTS_DOUBLEQUOTE_ESCAPED,
 		], [
-			$room->getToken(),
-			$user,
-			$arguments,
+			escapeshellarg($room->getToken()),
+			escapeshellarg($user),
+			$this->escapeArguments($arguments),
+			str_replace('"', '\\"', $arguments),
 		], $command->getScript());
 
+		return $this->wrapExec($cmd);
+	}
+
+	protected function escapeArguments(string $argumentString): string {
+		$arguments = explode(' ', $argumentString);
+
+		$result = [];
+		$buffer = [];
+		$quote = '';
+		foreach ($arguments as $argument) {
+			if ($quote === '') {
+				if (ltrim($argument, '"\'') === $argument) {
+					$result[] = escapeshellarg($argument);
+				} else {
+					$quote = $argument[0];
+					$temp = substr($argument, 1);
+					if (rtrim($temp, $quote) === $temp) {
+						$buffer[] = $temp;
+					} else {
+						$result[] = $quote . str_replace($quote, '\\'. $quote, substr($temp, 0, -1)) . $quote;
+						$quote = '';
+					}
+				}
+			} else if (rtrim($argument, $quote) === $argument) {
+				$buffer[] = $argument;
+			} else {
+				$buffer[] = substr($argument, 0, -1);
+
+				$result[] = $quote . str_replace($quote, '\\'. $quote, implode(' ', $buffer)) . $quote;
+				$quote = '';
+				$buffer = [];
+			}
+		}
+
+		if ($quote !== '') {
+			$result[] = escapeshellarg($quote . implode(' ', $buffer));
+		}
+
+		return implode(' ', $result);
+	}
+
+	protected function wrapExec(string $cmd): string {
 		$output = [];
 		exec($cmd, $output);
-
 		return implode("\n", $output);
 	}
 }

tests/php/Chat/Command/ExecutorTest.php

@@ -0,0 +1,175 @@
+<?php
+
+/**
+ *
+ * @copyright Copyright (c) 2017, Daniel Calviño Sánchez (danxuliu@gmail.com)
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Spreed\Tests\php\Chat\Command;
+
+use OCA\Spreed\Chat\Command\Executor;
+use OCA\Spreed\Model\Command;
+use OCA\Spreed\Room;
+use OCP\Comments\IComment;
+use PHPUnit\Framework\MockObject\MockObject;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\EventDispatcher\GenericEvent;
+
+class ExecutorTest extends \Test\TestCase {
+
+	/** @var EventDispatcherInterface|MockObject */
+	protected $dispatcher;
+
+	/** @var Executor */
+	protected $executor;
+
+	public function setUp() {
+		parent::setUp();
+
+		$this->dispatcher = $this->createMock(EventDispatcherInterface::class);
+		$this->executor = new Executor($this->dispatcher);
+	}
+
+	public function dataExecApp(): array {
+		return [
+			['arguments1', ''],
+			['arguments2', "output from\nevent"],
+		];
+	}
+
+	/**
+	 * @dataProvider dataExecApp
+	 * @param string $arguments
+	 * @param string $expected
+	 */
+	public function testExecApp(string $arguments, string $expected): void {
+		$message = $this->createMock(IComment::class);
+		$room = $this->createMock(Room::class);
+		$command = Command::fromParams([]);
+
+		$event = $this->createMock(GenericEvent::class);
+		$event->expects($this->once())
+			->method('setArguments')
+			->with([
+				'room' => $room,
+				'message' => $message,
+				'arguments' => $arguments,
+				'output' => '',
+			]);
+		$event->expects($this->once())
+			->method('getArgument')
+			->with('output')
+			->willReturn($expected);
+
+		$executor = $this->getMockBuilder(Executor::class)
+			->setConstructorArgs([$this->dispatcher])
+			->setMethods(['createEvent'])
+			->getMock();
+		$executor->expects($this->once())
+			->method('createEvent')
+			->with($command)
+			->willReturn($event);
+
+		$this->dispatcher->expects($this->once())
+			->method('dispatch')
+			->with(Executor::class . '::execApp', $event);
+
+		$this->assertSame($expected, self::invokePrivate($executor, 'execApp', [$room, $message, $command, $arguments]));
+	}
+
+	public function dataExecShell(): array {
+		return [
+			['admin', 'token', '', '', '', ''],
+			['admin', 'token', '/var/www/nextcloud/script.sh {USER} {ROOM} {ARGUMENTS}', 'foo bar "hello bear"', "/var/www/nextcloud/script.sh 'admin' 'token' 'foo' 'bar' \"hello bear\"", 'output1'],
+			['admin', 'token', '/var/www/nextcloud/script.sh {USER} {ROOM} --arguments="{ARGUMENTS_DOUBLEQUOTE_ESCAPED}"', 'foo bar "hello bear"', "/var/www/nextcloud/script.sh 'admin' 'token' --arguments=\"foo bar \\\"hello bear\\\"\"", "out\nput\n2"],
+		];
+	}
+
+	/**
+	 * @dataProvider dataExecShell
+	 * @param string|null $actorId
+	 * @param string $roomToken
+	 * @param string $script
+	 * @param string $arguments
+	 * @param string $expected
+	 * @param string $output
+	 */
+	public function testExecShell(?string $actorId, string $roomToken, string $script, string $arguments, string $expected, string $output): void {
+		$message = $this->createMock(IComment::class);
+		if ($actorId === null) {
+			$message->expects($this->once())
+				->method('getActorType')
+				->willReturn('guests');
+			$message->expects($this->never())
+				->method('getActorId');
+		} else {
+			$message->expects($this->once())
+				->method('getActorType')
+				->willReturn('users');
+			$message->expects($this->once())
+				->method('getActorId')
+				->willReturn($actorId);
+		}
+
+		$room = $this->createMock(Room::class);
+		$room->expects($this->once())
+			->method('getToken')
+			->willReturn($roomToken);
+
+		$command = Command::fromParams([
+			'script' => $script,
+		]);
+
+		$executor = $this->getMockBuilder(Executor::class)
+			->setConstructorArgs([$this->dispatcher])
+			->setMethods(['wrapExec'])
+			->getMock();
+
+		$executor->expects($this->once())
+			->method('wrapExec')
+			->with($expected)
+			->willReturn($output);
+
+		$this->assertSame($output, self::invokePrivate($executor, 'execShell', [$room, $message, $command, $arguments]));
+
+	}
+
+	public function dataEscapeArguments(): array {
+		return [
+			['foobar',             "'foobar'"],
+			['foo bar',            "'foo' 'bar'"],
+			['"foo" bar',          "\"foo\" 'bar'"],
+			['"foo"bar',           "'\"foo\"bar'"],
+			['"foo bar"',          '"foo bar"'],
+			['"foo foo"bar bar"',  '"foo foo\\"bar bar"'],
+			['"foo foo\"bar bar"', '"foo foo\\\\"bar bar"'],
+			['" foo bar "',        '" foo bar "'],
+			['" foo bar ',         "'\" foo bar '"],
+		];
+	}
+
+	/**
+	 * @dataProvider dataEscapeArguments
+	 * @param string $arguments
+	 * @param string $expected
+	 */
+	public function testEscapeArguments(string $arguments, string $expected): void {
+		$this->assertSame($expected, self::invokePrivate($this->executor, 'escapeArguments', [$arguments]));
+	}
+}