1 files changed, 24 insertions, 4 deletions

diff --git a/spec/bundler/bundler/source/git/git_proxy_spec.rb b/spec/bundler/bundler/source/git/git_proxy_spec.rb
index 97f06973cb..cffd72cc3f 100644
--- a/spec/bundler/bundler/source/git/git_proxy_spec.rb
+++ b/spec/bundler/bundler/source/git/git_proxy_spec.rb
@@ -11,21 +11,21 @@ RSpec.describe Bundler::Source::Git::GitProxy do
   context "with configured credentials" do
     it "adds username and password to URI" do
       Bundler.settings.temporary(uri => "u:p") do
-        expect(subject).to receive(:git_retry).with("clone", "https://u:p@github.com/rubygems/rubygems.git", any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", "https://u:p@github.com/rubygems/rubygems.git", path.to_s)
         subject.checkout
       end
     end
 
     it "adds username and password to URI for host" do
       Bundler.settings.temporary("github.com" => "u:p") do
-        expect(subject).to receive(:git_retry).with("clone", "https://u:p@github.com/rubygems/rubygems.git", any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", "https://u:p@github.com/rubygems/rubygems.git", path.to_s)
         subject.checkout
       end
     end
 
     it "does not add username and password to mismatched URI" do
       Bundler.settings.temporary("https://u:p@github.com/rubygems/rubygems-mismatch.git" => "u:p") do
-        expect(subject).to receive(:git_retry).with("clone", uri, any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", uri, path.to_s)
         subject.checkout
       end
     end
@@ -34,7 +34,7 @@ RSpec.describe Bundler::Source::Git::GitProxy do
       Bundler.settings.temporary("github.com" => "u:p") do
         original = "https://orig:info@github.com/rubygems/rubygems.git"
         subject = described_class.new(Pathname("path"), original, "HEAD")
-        expect(subject).to receive(:git_retry).with("clone", original, any_args)
+        expect(subject).to receive(:git_retry).with("clone", "--bare", "--no-hardlinks", "--quiet", "--", original, path.to_s)
         subject.checkout
       end
     end
@@ -148,4 +148,24 @@ RSpec.describe Bundler::Source::Git::GitProxy do
       end
     end
   end
+
+  it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do
+    gemfile <<~G
+      gem "poc", git: "-u./pay:load.sh"
+    G
+
+    file = bundled_app("pay:load.sh")
+
+    create_file file, <<~RUBY
+      #!/bin/sh
+
+      touch #{bundled_app("canary")}
+    RUBY
+
+    FileUtils.chmod("+x", file)
+
+    bundle :lock, :raise_on_error => false
+
+    expect(Pathname.new(bundled_app("canary"))).not_to exist
+  end
 end