[type/__update_alternatives] Secure cdist-defined environment variables with :?

2021-08-02 21:23:50 +02:00 · 2021-08-02 21:23:50 +02:00 · a7d6481a7d
commit a7d6481a7d
parent 542674dae8
5 changed files with 13 additions and 14 deletions
--- a/cdist/conf/type/__update_alternatives/explorer/alternatives
+++ b/cdist/conf/type/__update_alternatives/explorer/alternatives
@ -1,4 +1,4 @@
 #!/bin/sh -e

-update-alternatives --display "$__object_id" 2>/dev/null \
+update-alternatives --display "${__object_id:?}" 2>/dev/null \
    | awk -F ' - ' '/priority [0-9]+$/ { print $1 }'
--- a/cdist/conf/type/__update_alternatives/explorer/link
+++ b/cdist/conf/type/__update_alternatives/explorer/link
@ -18,12 +18,12 @@ for altdir in \
    /var/lib/dpkg/alternatives \
    /var/lib/alternatives
 do
-    if [ ! -f "$altdir/$__object_id" ]
+    if [ ! -f "$altdir/${__object_id:?}" ]
    then
        continue
    fi

-    link="$( awk 'NR==2' "$altdir/$__object_id" )"
+    link="$( awk 'NR==2' "$altdir/${__object_id:?}" )"

    if [ -n "$link" ]
    then
@ -33,7 +33,7 @@ done

 if [ -z "$link" ]
 then
-    echo "unable to get link for $__object_id" >&2
+    echo "unable to get link for ${__object_id:?}" >&2
    exit 1
 fi

--- a/cdist/conf/type/__update_alternatives/explorer/path_is
+++ b/cdist/conf/type/__update_alternatives/explorer/path_is
@ -1,11 +1,11 @@
 #!/bin/sh -e

-path_is="$( update-alternatives --display "$__object_id" 2>/dev/null \
+path_is="$( update-alternatives --display "${__object_id:?}" 2>/dev/null \
    | awk '/link currently points to/ {print $5}' )"

 if [ -z "$path_is" ]
 then
-    echo "unable to get current path for $__object_id" >&2
+    echo "unable to get current path for ${__object_id:?}" >&2
    exit 1
 fi

--- a/cdist/conf/type/__update_alternatives/explorer/path_should_state
+++ b/cdist/conf/type/__update_alternatives/explorer/path_should_state
@ -1,6 +1,6 @@
 #!/bin/sh -e

-if [ -f "$( cat "$__object/parameter/path" )" ]
+if [ -f "$( cat "${__object:?}/parameter/path" )" ]
 then
    echo 'present'
 else
--- a/cdist/conf/type/__update_alternatives/gencode-remote
+++ b/cdist/conf/type/__update_alternatives/gencode-remote
@ -18,26 +18,25 @@
 # You should have received a copy of the GNU General Public License
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.

-path_is="$( cat "$__object/explorer/path_is" )"
+path_is="$( cat "${__object:?}/explorer/path_is" )"

-path_should="$( cat "$__object/parameter/path" )"
+path_should="$( cat "${__object:?}/parameter/path" )"

 if [ "$path_is" = "$path_should" ]
 then
    exit 0
 fi

-if [ "$( cat "$__object/explorer/path_should_state" )" = 'absent' ] && [ -z "$__cdist_dry_run" ]
+if [ "$( cat "${__object:?}/explorer/path_should_state" )" = 'absent' ] \
+    && [ -z "${__cdist_dry_run+dry run}" ]
 then
    echo "$path_should does not exist in target" >&2
    exit 1
 fi

-name="$__object_id"
+name=${__object_id:?}

-alternatives="$( cat "$__object/explorer/alternatives" )"
-
-if ! echo "$alternatives" | grep -Fxq "$path_should"
+if ! grep -Fxq "$path_should" "${__object:?}/explorer/alternatives"
 then
    if [ ! -f "$__object/parameter/install" ]
    then