Issue #3277025 by Spokje, longwave: For additional security you should declare...

Issue #3277025 by Spokje, longwave: For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code

(cherry picked from commit 8b44468e)

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/Functional/ManageGitIgnoreTest.php

@@ -218,14 +218,11 @@ public function testUnmanagedGitIgnoreWhenGitNotAvailable() {
     exec('git --help', $output, $status);
     $this->assertEquals(127, $status);
     // Run the scaffold command.
-    $output = [];
-    exec('composer drupal:scaffold', $output, $status);
+    $output = $this->mustExec('composer drupal:scaffold 2>&1', NULL);
 
     putenv('PATH=' . $oldPath . ':' . getenv('PATH'));
 
     $expected = <<<EOT
-0
-
 Scaffolding files for fixtures/drupal-assets-fixture:
   - Copy [web-root]/.csslintrc from assets/.csslintrc
   - Copy [web-root]/.editorconfig from assets/.editorconfig
@@ -247,8 +244,9 @@ public function testUnmanagedGitIgnoreWhenGitNotAvailable() {
 Scaffolding files for fixtures/drupal-composer-drupal-project:
   - Skip [web-root]/.htaccess: disabled
   - Copy [web-root]/robots.txt from assets/robots-default.txt
+
 EOT;
-    $this->assertEquals($expected, $status . "\n\n" . implode("\n", $output));
+    $this->assertEquals($expected, $output);
     $this->assertFileExists($sut . '/docroot/index.php');
     $this->assertFileDoesNotExist($sut . '/docroot/sites/default/.gitignore');
   }

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/fixtures/drupal-composer-drupal-project/composer.json.tmpl

@@ -39,6 +39,11 @@
     "fixtures/drupal-core-fixture": "*",
     "fixtures/scaffold-override-fixture": "*"
   },
+  "config": {
+    "allow-plugins": {
+      "drupal/core-composer-scaffold": true
+    }
+  },
   "extra": {
     "drupal-scaffold": {
       "allowed-packages": [