Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix shell_escape of unless command #550

Merged
merged 1 commit into from
Apr 4, 2023
Merged

Fix shell_escape of unless command #550

merged 1 commit into from
Apr 4, 2023
+17 −3

Conversation

traylenator
Copy link
Contributor

A bug was introduced in 74ea1de .

It resulted in an error:

Error: /Stage[main]/Java::Config/Exec[create-java-alternatives]: Could not evaluate:
   Could not find command 'alternatives\'

The effective exec was:

exec{'create-java-alternatives':
  path    => '/usr/bin:/usr/sbin:/bin:/sbi
  command => ['alternatives', '--install', '/usr/bin/java', 'java', $java::use_java_alternative_path, '20000'],
  unless  => shell_escape("alternatives --display java | grep -q $java::use_java_alternative_path}"),
}

This errors since the spaces inside the shell_escape are also escaped to \ .

This patch only shell_escapes the external supplied string java::java_alternative_path which was I expect the object the exercise.

Configuration to trigger the bug, but it should not be hard.

class{'java':
 distribution          => 'jdk',
 java_alternative      => '/usr/lib/jvm/java-11-openjdk/bin/java',
 java_alternative_path => '/usr/lib/jvm/java-11-openjdk/bin/java',
 java_home             => '/usr/lib/jvm/java-11-openjdk/',
 package               => 'java-11-openjdk-devel',
 version               => 'present',
}

@traylenator
Fix shell_escape of unless command
df3cfda 
A bug was introduced in 74ea1de .

It resulted in an error:

```
Error: /Stage[main]/Java::Config/Exec[create-java-alternatives]: Could not evaluate:
   Could not find command 'alternatives\'
```

The effective exec was:

```puppet
exec{'create-java-alternatives':
  path    => '/usr/bin:/usr/sbin:/bin:/sbi
  command => ['alternatives', '--install', '/usr/bin/java', 'java', $java::use_java_alternative_path, '20000'],
  unless  => shell_escape("alternatives --display java | grep -q $java::use_java_alternative_path}"),
}
```

This errors since the spaces inside the `shell_escape` are also escaped to `\ `.

This patch only shell_escapes the external supplied string
`java::java_alternative_path` which was I expect the object the exercise.

Configuration to trigger the bug, but it should not be hard.

```
class{'java':
 distribution          => 'jdk',
 java_alternative      => '/usr/lib/jvm/java-11-openjdk/bin/java',
 java_alternative_path => '/usr/lib/jvm/java-11-openjdk/bin/java',
 java_home             => '/usr/lib/jvm/java-11-openjdk/',
 package               => 'java-11-openjdk-devel',
 version               => 'present',
}
```
@traylenator traylenator requested a review from a team as a code owner March 30, 2023 14:27
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@puppet-community-rangefinder
Copy link

java::config is a class

that may have no external impact to Forge modules.

This module is declared in 79 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@traylenator
Copy link
Contributor Author

@treydock for info 9.0.1 is broken your keycloak module which you don't support yet :-)

@traylenator
Copy link
Contributor Author

Avoiding this completely using https://forge.puppet.com/modules/puppet/alternatives would be a good idea.

@traylenator
Copy link
Contributor Author

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLA has be signed for me on behalf of CERN IT.

david22swan
david22swan approved these changes Apr 4, 2023
View reviewed changes
Copy link
Member

@david22swan david22swan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Thanks for catching this

@david22swan david22swan merged commit eae7cdd into puppetlabs:main Apr 4, 2023
@traylenator traylenator deleted the escape branch April 4, 2023 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david22swan david22swan david22swan approved these changes

Assignees
No one assigned
Labels
bugfix community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@traylenator @CLAassistant @david22swan @ia-content