From 33765f49e91b84308f496d684037da80b0938088 Mon Sep 17 00:00:00 2001
From: Ivan Pozdeev <vano@mail.mipt.ru>
Date: Mon, 11 Nov 2019 10:28:39 +0300
Subject: [PATCH 1/2] npm: Sanitize shell input

---
 lib/dpl/provider/npm.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/dpl/provider/npm.rb b/lib/dpl/provider/npm.rb
index 6df9d119d..087480884 100644
--- a/lib/dpl/provider/npm.rb
+++ b/lib/dpl/provider/npm.rb
@@ -1,4 +1,5 @@
 require 'json'
+require 'shellwords'
 require 'uri'
 
 module DPL
@@ -30,8 +31,8 @@ def push_app
         log "http://docs.travis-ci.com/user/deployment/npm/"
         log "#{NPMRC_FILE} size: #{File.size(File.expand_path(NPMRC_FILE))}"
 
-        command = "env NPM_API_KEY=#{option(:api_key)} npm publish"
-        command << " --tag #{option(:tag)}" if options[:tag]
+        command = "env NPM_API_KEY=#{option(:api_key).shellescape} npm publish"
+        command << " --tag #{option(:tag).shellescape}" if options[:tag]
         context.shell "#{command}"
         FileUtils.rm(File.expand_path(NPMRC_FILE))
       end

From 6382aea515039de1729843432c22599f65973ccc Mon Sep 17 00:00:00 2001
From: Ivan Pozdeev <vano@mail.mipt.ru>
Date: Mon, 11 Nov 2019 12:01:30 +0300
Subject: [PATCH 2/2] Revert "fix heroku spec?"

This reverts commit 6f49b25d174d1baf01970ee4533125f016996cad.
Causes test failure, the actual command line is not what this change asserts
---
 spec/provider/heroku_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/provider/heroku_spec.rb b/spec/provider/heroku_spec.rb
index e5e57aecc..f0fb1b4fa 100644
--- a/spec/provider/heroku_spec.rb
+++ b/spec/provider/heroku_spec.rb
@@ -231,7 +231,7 @@
       expect(provider).to receive(:faraday).at_least(:once).and_return(faraday)
       expect(provider).to receive(:get_url).and_return 'http://example.com/source.tgz'
       expect(provider).to receive(:version).and_return 'v1.3.0'
-      expect(provider.context).to receive(:shell).with("curl -sS https://build-output.heroku.com/streams/01234567-89ab-cdef-0123-456789abcdef -H 'Accept: application/vnd.heroku+json; version=3' -H 'User-Agent: dpl/#{DPL::VERSION}'")
+      expect(provider.context).to receive(:shell).with("curl https://build-output.heroku.com/streams/01234567-89ab-cdef-0123-456789abcdef -H 'Accept: application/vnd.heroku+json; version=3' -H 'User-Agent: dpl/#{DPL::VERSION}'")
       provider.trigger_build
       expect(provider.build_id).to eq('01234567-89ab-cdef-0123-456789abcdef')
     end