ltrim dashes from the stage ID

Closes #3417905

package_manager/src/StageBase.php

@@ -6,7 +6,7 @@ namespace Drupal\package_manager;
 
 use Composer\Semver\VersionParser;
 use Drupal\Component\Datetime\TimeInterface;
-use Drupal\Component\Utility\Crypt;
+use Drupal\Component\Utility\Random;
 use Drupal\Core\Queue\QueueFactory;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\Core\StringTranslation\TranslatableMarkup;
@@ -344,7 +344,13 @@ abstract class StageBase implements LoggerAwareInterface {
     // to create a stage directory at around the same time. If an error occurs
     // while the event is being processed, the stage is marked as available.
     // @see ::dispatch()
-    $id = Crypt::randomBytesBase64();
+    // We specifically generate a random 32-character alphanumeric name in order
+    // to guarantee that the the stage ID won't start with -, which could cause
+    // it to be interpreted as an option if it's used as a command-line
+    // argument. (For example,
+    // \Drupal\Component\Utility\Crypt::randomBytesBase64() would be vulnerable
+    // to this; the stage ID needs to be unique, but not cryptographically so.)
+    $id = (new Random())->name(32);
     // Re-acquire the tempstore to ensure that the lock is written by whoever is
     // actually logged in (or not) right now, since it's possible that the stage
     // was instantiated (i.e., __construct() was called) by a different session,