(PUP-9997) Don't Dir.chdir when installing modules

When the Dir.chdir block ends we may not have permission to switch our cwd back
to where we started. So keep the cwd as is and pass the dest dir to the
tar/find/chown commands. Since we're passing arbitrary destination directories,
escape it.

Author: joshcooper

lib/puppet/module_tool/tar/gnu.rb

@@ -4,15 +4,14 @@
 
 class Puppet::ModuleTool::Tar::Gnu
   def unpack(sourcefile, destdir, owner)
-    sourcefile = File.expand_path(sourcefile)
+    safe_sourcefile = Shellwords.shellescape(File.expand_path(sourcefile))
     destdir = File.expand_path(destdir)
+    safe_destdir = Shellwords.shellescape(destdir)
 
-    Dir.chdir(destdir) do
-      Puppet::Util::Execution.execute("gzip -dc #{Shellwords.shellescape(sourcefile)} | tar xof -")
-      Puppet::Util::Execution.execute("find . -type d -exec chmod 755 {} +")
-      Puppet::Util::Execution.execute("find . -type f -exec chmod u+rw,g+r,a-st {} +")
-      Puppet::Util::Execution.execute("chown -R #{owner} .")
-    end
+    Puppet::Util::Execution.execute("gzip -dc #{safe_sourcefile} | tar --extract --no-same-owner --directory #{safe_destdir} --file -")
+    Puppet::Util::Execution.execute("find #{safe_destdir} -type d -exec chmod 755 {} +")
+    Puppet::Util::Execution.execute("find #{safe_destdir} -type f -exec chmod u+rw,g+r,a-st {} +")
+    Puppet::Util::Execution.execute("chown -R #{owner} #{safe_destdir}")
   end
 
   def pack(sourcedir, destfile)

spec/unit/module_tool/tar/gnu_spec.rb

@@ -7,12 +7,13 @@
   let(:sourcedir)  { '/space path/the/src/dir' }
   let(:destfile)   { '/space path/the/dest/file.tar.gz' }
 
+  let(:safe_sourcefile) { '/space\ path/the/module.tar.gz' }
+  let(:safe_destdir)    { '/space\ path/the/dest/dir' }
   it "unpacks a tar file" do
-    expect(Dir).to receive(:chdir).with(File.expand_path(destdir)).and_yield
-    expect(Puppet::Util::Execution).to receive(:execute).with("gzip -dc #{Shellwords.shellescape(File.expand_path(sourcefile))} | tar xof -")
-    expect(Puppet::Util::Execution).to receive(:execute).with("find . -type d -exec chmod 755 {} +")
-    expect(Puppet::Util::Execution).to receive(:execute).with("find . -type f -exec chmod u+rw,g+r,a-st {} +")
-    expect(Puppet::Util::Execution).to receive(:execute).with("chown -R <owner:group> .")
+    expect(Puppet::Util::Execution).to receive(:execute).with("gzip -dc #{safe_sourcefile} | tar --extract --no-same-owner --directory #{safe_destdir} --file -")
+    expect(Puppet::Util::Execution).to receive(:execute).with("find #{safe_destdir} -type d -exec chmod 755 {} +")
+    expect(Puppet::Util::Execution).to receive(:execute).with("find #{safe_destdir} -type f -exec chmod u+rw,g+r,a-st {} +")
+    expect(Puppet::Util::Execution).to receive(:execute).with("chown -R <owner:group> #{safe_destdir}")
     subject.unpack(sourcefile, destdir, '<owner:group>')
   end