security: use quote with command, shell and validate with variable #245
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enhancement:
Use
quote
always when usingcommand
plugin,shell
plugin, validate content as command to execute or system to configure.Reject bad content for
systemd.unit
andsysctl
config.Reason:
This improves security and robustness. At least TMPDIR can be defined outside in various ways.
This follows example in
tests/tests_all_options.yml
wherepkg_mgr
is quoted.When using
command
plugin, it could be possible to useargv
functionality and avoid quoting.Initial reason was single quotes in
'{{ sshd_test_hostkey.path }}/rsa_key'
intasks/install.yml
but not intasks/install_config.yml
andtasks/install_namespace.yml
.Result:
Included test passes. Care should be taken if test fails. It might leave
BADFLAG
user or related files behind.Issue Tracker Tickets (Jira or BZ if any): -