Fix git/hg driver identifier validation for getChangeDate when using method programmatically

glaubinix · Seldaek · commit 6621d4527775 · 2026-04-13T17:00:26.000+02:00
This is no issue for Composer users but when using Composer as a library a call to this method with a leading dash could still cause issues
diff --git a/src/Composer/Repository/Vcs/GitDriver.php b/src/Composer/Repository/Vcs/GitDriver.php
@@ -164,6 +164,10 @@ public function getFileContent(string $file, string $identifier): ?string
      */
     public function getChangeDate(string $identifier): ?\DateTimeImmutable
     {
+        if (isset($identifier[0]) && $identifier[0] === '-') {
+            throw new \RuntimeException('Invalid git identifier detected. Identifier must not start with a -, given: ' . $identifier);
+        }
+
         $command = GitUtil::buildRevListCommand($this->process, ['-n1', '--format=%at', $identifier]);
         $this->process->execute($command, $output, $this->repoDir);
 
diff --git a/src/Composer/Repository/Vcs/HgDriver.php b/src/Composer/Repository/Vcs/HgDriver.php
@@ -146,6 +146,10 @@ public function getFileContent(string $file, string $identifier): ?string
      */
     public function getChangeDate(string $identifier): ?\DateTimeImmutable
     {
+        if (isset($identifier[0]) && $identifier[0] === '-') {
+            throw new \RuntimeException('Invalid hg identifier detected. Identifier must not start with a -, given: ' . $identifier);
+        }
+
         $this->process->execute(
             ['hg', 'log', '--template', '{date|rfc3339date}', '-r', $identifier],
             $output,
diff --git a/tests/Composer/Test/Repository/Vcs/GitDriverTest.php b/tests/Composer/Test/Repository/Vcs/GitDriverTest.php
@@ -184,6 +184,17 @@ public function testFileGetContentInvalidIdentifier(): void
         $driver->getFileContent('file.txt', '-h');
     }
 
+    public function testGetChangeDateInvalidIdentifier(): void
+    {
+        self::expectException('\RuntimeException');
+
+        $process = $this->getProcessExecutorMock();
+        $io = $this->getMockBuilder('Composer\IO\IOInterface')->getMock();
+        $driver = new GitDriver(['url' => 'https://example.org/acme.git'], $io, $this->config, $this->getMockBuilder('Composer\Util\HttpDownloader')->disableOriginalConstructor()->getMock(), $process);
+
+        $driver->getChangeDate('-n1 --format=%at HEAD');
+    }
+
     private function setRepoDir(GitDriver $driver, string $path): void
     {
         $reflectionClass = new \ReflectionClass($driver);
diff --git a/tests/Composer/Test/Repository/Vcs/HgDriverTest.php b/tests/Composer/Test/Repository/Vcs/HgDriverTest.php
@@ -110,4 +110,14 @@ public function testFileGetContentInvalidIdentifier(): void
 
         $driver->getFileContent('file.txt', '-h');
     }
+
+    public function testGetChangeDateInvalidIdentifier(): void
+    {
+        self::expectException('\RuntimeException');
+
+        $process = $this->getProcessExecutorMock();
+        $driver = new HgDriver(['url' => 'https://example.org/acme.git'], $this->io, $this->config, $this->getMockBuilder('Composer\Util\HttpDownloader')->disableOriginalConstructor()->getMock(), $process);
+
+        $driver->getChangeDate('-r foo');
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -110,4 +110,14 @@ public function testFileGetContentInvalidIdentifier(): void`
`110`	`110`
`111`	`111`	`$driver->getFileContent('file.txt', '-h');`
`112`	`112`	`}`
	`113`	`+`
	`114`	`+ public function testGetChangeDateInvalidIdentifier(): void`
	`115`	`+ {`
	`116`	`+ self::expectException('\RuntimeException');`
	`117`	`+`
	`118`	`+ $process = $this->getProcessExecutorMock();`
	`119`	`+ $driver = new HgDriver(['url' => 'https://example.org/acme.git'], $this->io, $this->config, $this->getMockBuilder('Composer\Util\HttpDownloader')->disableOriginalConstructor()->getMock(), $process);`
	`120`	`+`
	`121`	`+ $driver->getChangeDate('-r foo');`
	`122`	`+ }`
`113`	`123`	`}`