Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux_build_module_simple.sh: improve quoting #375

Merged
merged 2 commits into from
Nov 1, 2023
Merged

selinux_build_module_simple.sh: improve quoting #375

merged 2 commits into from
Nov 1, 2023

Conversation

kenyon
Copy link
Member

@kenyon kenyon commented Aug 21, 2023

If module_name or module_dir had a space, this script would fail.

Also avoid existence test for the tmp dir and use mkdir -p instead.

@kenyon kenyon requested a review from smortex August 21, 2023 21:40
smortex
smortex approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@smortex smortex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That look more correct!

I guess the CI don't the case with spaces but maybe you have a real-case scenario you can check against this branch to ensure correctness?

LGTM!

@kenyon
Copy link
Member Author

kenyon commented Aug 22, 2023

Yeah, that's another problem with using a shell script like this, it would have to be tested in acceptance tests.

I found more command lines where filenames should be quoted. Tomorrow I'll see if I can add an acceptance test that fails without this PR.

@kenyon kenyon marked this pull request as draft August 22, 2023 00:21
@smortex
Copy link
Member

smortex commented Aug 22, 2023

Thinking about it, the "best" is probably to rely on shellquote to escape shell special chars. I can't really think that somebody able to inject malicious subcommands in a control-repo without validation has no prior root access to the system, but for the sake of best practice it may make sense to prevent such misuse.

@kenyon
Copy link
Member Author

kenyon commented Aug 22, 2023
edited
Loading

Thinking about it, the "best" is probably to rely on shellquote to escape shell special chars. I can't really think that somebody able to inject malicious subcommands in a control-repo without validation has no prior root access to the system, but for the sake of best practice it may make sense to prevent such misuse.

Hmmmm, the command line is actually already shellquoted:

puppet-selinux/manifests/module.pp

Line 83 in 37e1761

'simple' => shellquote($selinux::build::module_build_simple, $title, $module_dir),

I used a $title with a space in it, which is how I discovered this problem. So the shellquoting protects the exec command line, but I guess the problem is that usage of those arguments inside the script still needs proper quoting. What do you think?

@kenyon kenyon marked this pull request as ready for review August 22, 2023 21:46
kenyon added 2 commits October 31, 2023 22:17
@kenyon
selinux_build_module_simple.sh: fix quoting
3d832e6 
If module_name or module_dir had a space, this script would fail.

Also avoid existence test for the tmp dir and use mkdir -p instead.
@kenyon
module: quote filenames in command lines
bdad92a
@kenyon kenyon changed the title selinux_build_module_simple.sh: fix quoting selinux_build_module_simple.sh: improve quoting Nov 1, 2023
@kenyon kenyon added the enhancement New feature or request label Nov 1, 2023
@kenyon kenyon merged commit cad3924 into voxpupuli:master Nov 1, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smortex smortex smortex approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kenyon @smortex