Disable @-syntax in server-side CmdLineParser instances

Since args4j 2.0.29, the default behavior when passing an argument value
of the form "@file" is to read the contents of "file" from the
filesystem and use that as the argument value. This is inappropriate
when the argument value is provided by a user on the internet to a
Gerrit server.

Turn off the behavior in all codepaths in Gerrit. The 5 calls fixed in
this change are all the calls of the CmdLineParser constructors found by
IntelliJ.

It would arguably be ok to leave the @-syntax on for the standalone
programs like ProtoGen, since someone running those programs on a server
could already read arbitrary files with `cat`. However, it's safest to
disable in all paths, so we don't risk making an incorrect judgment
call, and so someone copy/pasting the usage doesn't unintentionally
copy an insecure usage. Moreover, this functionality has not yet been
present in any stable releases, so we know nobody is depending on it
working.

Change-Id: Ib2e40dee443b96c5a8db67affa52a424bba5c4ae

java/com/google/gerrit/sshd/commands/UploadArchive.java

@@ -48,6 +48,7 @@ import org.kohsuke.args4j.Argument;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.CmdLineParser;
 import org.kohsuke.args4j.Option;
+import org.kohsuke.args4j.ParserProperties;
 
 /** Allows getting archives for Git repositories over SSH using the Git upload-archive protocol. */
 public class UploadArchive extends AbstractGitCommand {
@@ -151,7 +152,8 @@ public class UploadArchive extends AbstractGitCommand {
 
     try {
       // Parse them into the 'options' field
-      CmdLineParser parser = new CmdLineParser(options);
+      CmdLineParser parser =
+          new CmdLineParser(options, ParserProperties.defaults().withAtSyntax(false));
       parser.parseArgument(args);
       if (options.path == null || Arrays.asList(".").equals(options.path)) {
         options.path = Collections.emptyList();