security hardening

src/lib/bootloader/boot_record_backup.rb

@@ -1,5 +1,6 @@
 require "yast"
 require "date"
+require "shellwords"
 
 module Bootloader
   # Responsibility of class is to manage backup of MBR, respective PBR of disk,
@@ -35,7 +36,7 @@ def initialize(device)
     # Backup is stored in /var/lib/YaST2/backup_boot_sectors, in logs
     # directory and if it is MBR of primary disk, then also in /boot/backup_mbr
     def write
-      Yast::SCR.Execute(BASH_PATH, "mkdir -p #{MAIN_BACKUP_DIR}")
+      Yast::SCR.Execute(BASH_PATH, "/usr/sbin/mkdir -p #{MAIN_BACKUP_DIR.shellescape}")
 
       if exists?
         rotate
@@ -88,7 +89,7 @@ def formated_file_ctime(filename)
     def copy_br(device, target_path, bs: 512)
       Yast::SCR.Execute(
         BASH_PATH,
-        "/bin/dd if=#{device} of=#{target_path} bs=#{bs} count=1 2>&1"
+        "/bin/dd if=#{device.shellescape} of=#{target_path.shellescape} bs=#{bs.to_s.shellescape} count=1 2>&1"
       )
     end
 
@@ -114,7 +115,7 @@ def rotate
       Yast::SCR.Execute(
         BASH_PATH,
         format("/bin/mv %{path} %{path}-%{date}",
-          path: device_file_path, date: change_date)
+          path: device_file_path.shellescape, date: change_date.shellescape)
       )
     end
   end

src/lib/bootloader/grub2pwd.rb

@@ -1,4 +1,5 @@
 require "yast"
+require "shellwords"
 
 Yast.import "Stage"
 
@@ -120,21 +121,16 @@ def disable
       return unless used_on_target?
 
       # operate on target as we have to remove password during installation from target grub2
-      Yast::SCR.Execute(Yast::Path.new(".target.bash"), "rm '#{PWD_ENCRYPTION_FILE}'")
+      Yast::SCR.Execute(Yast::Path.new(".target.bash"), "rm '#{PWD_ENCRYPTION_FILE.shellescape}'")
     end
 
     def encrypt(password)
       Yast.import "String"
 
       quoted_password = Yast::String.Quote(password)
-      result = Yast::WFM.Execute(YAST_BASH_PATH,
-        "echo '#{quoted_password}\n#{quoted_password}\n' | LANG=C grub2-mkpasswd-pbkdf2")
+      result = Yast::Execute.locally("/usr/bin/grub2-mkpasswd-pbkdf2", env: { "LANG" => "C"}, stdin: "test\ntest\n", stdout: :capture)
 
-      if result["exit"] != 0
-        raise "Failed to create encrypted password for grub2. Command output: #{result["stderr"]}"
-      end
-
-      pwd_line = result["stdout"].split("\n").grep(/password is/).first
+      pwd_line = result.split("\n").grep(/password is/).first
       if !pwd_line
         raise "grub2-mkpasswd output do not contain encrypted password. Output: #{result["stdout"]}"
       end

src/modules/BootSupportCheck.rb

@@ -125,7 +125,7 @@ def check_gpt_reserved_partition
 
     # Check if EFI is needed
     def efi?
-      cmd = "modprobe efivars 2>/dev/null"
+      cmd = "/usr/sbin/modprobe efivars 2>/dev/null"
       SCR.Execute(path(".target.bash_output"), cmd)
       FileUtils.Exists("/sys/firmware/efi/systab")
     end

test/grub2pwd_test.rb

@@ -214,13 +214,9 @@ def mock_file_presence(exists)
       PBKDF2 hash of your password is #{ENCRYPTED_PASSWORD}
 EOF
 
-      expect(Yast::WFM).to receive(:Execute)
-        .with(kind_of(Yast::Path), /grub2-mkpasswd/)
-        .and_return(
-          "exit"   => 0,
-          "stderr" => "",
-          "stdout" => success_stdout
-        )
+      expect(Yast::Execute).to receive(:locally)
+        .with(/grub2-mkpasswd/, anything)
+        .and_return(success_stdout)
       subject.password = "really strong password"
 
       expect(subject.instance_variable_get(:@encrypted_password)).to eq ENCRYPTED_PASSWORD