From 270ea940ee1bd48747f1968307f75c30023535d1 Mon Sep 17 00:00:00 2001
From: Rob Reynolds <ferventcoder@gmail.com>
Date: Fri, 26 Jun 2015 18:02:50 -0500
Subject: [PATCH] (GH-341) Do not allow combining paths with colon

When attempting to combine paths, do not allow any paths being added to
have colon `:` as that will reset the path. This can lead to possibly
very bad situations when an incorrect command is sent to choco.
---
 .../infrastructure/filesystem/DotNetFileSystemSpecs.cs    | 8 ++++++++
 .../commands/ChocolateyInstallCommand.cs                  | 7 +++++++
 .../infrastructure/filesystem/DotNetFileSystem.cs         | 8 ++++++++
 3 files changed, 23 insertions(+)

diff --git a/src/chocolatey.tests/infrastructure/filesystem/DotNetFileSystemSpecs.cs b/src/chocolatey.tests/infrastructure/filesystem/DotNetFileSystemSpecs.cs
index f00fb5b6d0..f7ca43dcbc 100644
--- a/src/chocolatey.tests/infrastructure/filesystem/DotNetFileSystemSpecs.cs
+++ b/src/chocolatey.tests/infrastructure/filesystem/DotNetFileSystemSpecs.cs
@@ -17,6 +17,7 @@ namespace chocolatey.tests.infrastructure.filesystem
 {
     using System;
     using System.IO;
+    using NUnit.Framework;
     using Should;
     using chocolatey.infrastructure.filesystem;
     using chocolatey.infrastructure.platforms;
@@ -113,6 +114,13 @@ public void Combine_should_combine_when_paths_start_with_forwardslashes_in_subpa
                         "C:\\temp\\yo\\filename.txt" 
                         : "C:/temp/yo/filename.txt");
             }
+
+            [Fact]
+            [ExpectedException(typeof(ApplicationException), MatchType = MessageMatch.StartsWith, ExpectedMessage = "Cannot combine a path with")]
+            public void Combine_should_error_if_any_path_but_the_primary_contains_colon()
+            {
+                FileSystem.combine_paths("C:\\temp", "C:");
+            }
         }
     }
 }
\ No newline at end of file
diff --git a/src/chocolatey/infrastructure.app/commands/ChocolateyInstallCommand.cs b/src/chocolatey/infrastructure.app/commands/ChocolateyInstallCommand.cs
index c26cbe973c..7181b0a87e 100644
--- a/src/chocolatey/infrastructure.app/commands/ChocolateyInstallCommand.cs
+++ b/src/chocolatey/infrastructure.app/commands/ChocolateyInstallCommand.cs
@@ -97,6 +97,13 @@ public void handle_validation(ChocolateyConfiguration configuration)
             {
                 throw new ApplicationException("Package name is required. Please pass at least one package name to install.");
             }
+            // Need a better check on this before releasing. Issue will be covered by other fixes
+            //// investigate https://msdn.microsoft.com/en-us/library/system.io.path.getinvalidpathchars(v=vs.100).aspx
+            //if (configuration.PackageNames.Contains(":"))
+            //{
+            //    throw new ApplicationException("Package name cannot contain invalid characters.");
+            //}
+
             if (configuration.ForceDependencies && !configuration.Force)
             {
                 throw new ApplicationException("Force dependencies can only be used with force also turned on.");
diff --git a/src/chocolatey/infrastructure/filesystem/DotNetFileSystem.cs b/src/chocolatey/infrastructure/filesystem/DotNetFileSystem.cs
index 19dc815ddb..77aac30f4d 100644
--- a/src/chocolatey/infrastructure/filesystem/DotNetFileSystem.cs
+++ b/src/chocolatey/infrastructure/filesystem/DotNetFileSystem.cs
@@ -50,6 +50,8 @@ public string combine_paths(string leftItem, params string[] rightItems)
             var combinedPath = Platform.get_platform() == PlatformType.Windows ? leftItem : leftItem.Replace('\\', '/');
             foreach (var rightItem in rightItems)
             {
+                if (rightItem.Contains(":")) throw new ApplicationException("Cannot combine a path with ':' attempted to combine '{0}' with '{1}'".format_with(rightItem, combinedPath));
+ 
                 var rightSide = Platform.get_platform() == PlatformType.Windows ? rightItem : rightItem.Replace('\\', '/');
                 if (rightSide.StartsWith(Path.DirectorySeparatorChar.to_string()) || rightSide.StartsWith(Path.AltDirectorySeparatorChar.to_string()))
                 {
@@ -336,6 +338,9 @@ public void create_directory(string directoryPath)
 
         public void move_directory(string directoryPath, string newDirectoryPath)
         {
+            if (string.IsNullOrWhiteSpace(directoryPath) || string.IsNullOrWhiteSpace(newDirectoryPath)) throw new ApplicationException("You must provide a directory to move from or to.");
+            if (combine_paths(directoryPath,"").is_equal_to(combine_paths(Environment.GetEnvironmentVariable("SystemDrive"),""))) throw new ApplicationException("Cannot move or delete the root of the system drive");
+
             try
             {
                 this.Log().Debug("Moving '{0}'{1} to '{2}'".format_with(directoryPath, Environment.NewLine, newDirectoryPath));
@@ -404,6 +409,9 @@ public void create_directory_if_not_exists(string directoryPath, bool ignoreErro
 
         public void delete_directory(string directoryPath, bool recursive)
         {
+            if (string.IsNullOrWhiteSpace(directoryPath)) throw new ApplicationException("You must provide a directory to delete.");
+            if (combine_paths(directoryPath, "").is_equal_to(combine_paths(Environment.GetEnvironmentVariable("SystemDrive"), ""))) throw new ApplicationException("Cannot move or delete the root of the system drive");
+           
             this.Log().Debug(() => "Attempting to delete directory \"{0}\".".format_with(get_full_path(directoryPath)));
             allow_retries(() => Directory.Delete(directoryPath, recursive));
         }