From 0bd0fec6a6387b7155b0823b58874da72ecbc096 Mon Sep 17 00:00:00 2001
From: Mike McQuaid <mike@mikemcquaid.com>
Date: Mon, 24 Oct 2016 15:07:49 +0100
Subject: [PATCH] audit: check test system calls are fully scoped.

This doesn't matter for everything but it does for the binaries that
are installed. Have a limited name/alias check when not installed and
a better one that iterates bin/sbin if installed.
---
 Library/Homebrew/dev-cmd/audit.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb
index afa875bdb2..b2d5923899 100644
--- a/Library/Homebrew/dev-cmd/audit.rb
+++ b/Library/Homebrew/dev-cmd/audit.rb
@@ -725,6 +725,19 @@ class FormulaAuditor
       problem %q(use "xcodebuild *args" instead of "system 'xcodebuild', *args")
     end
 
+    bin_names = Set.new
+    bin_names << formula.name
+    bin_names += formula.aliases
+    [formula.bin, formula.sbin].each do |dir|
+      next unless dir.exist?
+      bin_names += dir.children.map(&:basename).map(&:to_s)
+    end
+    bin_names.each do |name|
+      if text =~ /test do.*system\s+['"]#{name}/m
+        problem %(fully scope test system calls e.g. system "\#{bin}/#{name}")
+      end
+    end
+
     if text =~ /xcodebuild[ (]["'*]/ && !text.include?("SYMROOT=")
       problem 'xcodebuild should be passed an explicit "SYMROOT"'
     end