Merge pull request #550 from traylenator/escape

david22swan · web-flow · commit eae7cdd6f9e0 · 2023-04-04T09:50:11.000+01:00
Fix shell_escape of unless command
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -26,12 +26,12 @@
         # For the stanard packages java::params needs these added.
         if $java::use_java_package_name != $java::default_package_name {
           $command_redhat = ['alternatives', '--install', '/usr/bin/java', 'java', $java::use_java_alternative_path, '20000']
-          $unless_redhat = "alternatives --display java | grep -q ${java::use_java_alternative_path}"
+          $unless_redhat = "alternatives --display java | grep -q ${shell_escape($java::use_java_alternative_path)}"
 
           exec { 'create-java-alternatives':
             path    => '/usr/bin:/usr/sbin:/bin:/sbin',
             command => $command_redhat,
-            unless  => shell_escape($unless_redhat),
+            unless  => $unless_redhat,
             before  => Exec['update-java-alternatives'],
           }
         }
diff --git a/spec/classes/java_spec.rb b/spec/classes/java_spec.rb
@@ -36,10 +36,24 @@
     let(:params) { { 'package' => 'jre', 'java_alternative' => '/usr/bin/java', 'java_alternative_path' => '/usr/java/jre1.7.0_67/bin/java' } }
 
     it { is_expected.to contain_package('java').with_name('jre') }
-    it { is_expected.to contain_exec('create-java-alternatives').with_command(['alternatives', '--install', '/usr/bin/java', 'java', '/usr/java/jre1.7.0_67/bin/java', '20000']) }
+    it {
+      is_expected.to contain_exec('create-java-alternatives').with(
+      {
+        command: ['alternatives', '--install', '/usr/bin/java', 'java', '/usr/java/jre1.7.0_67/bin/java', '20000'],
+        unless: 'alternatives --display java | grep -q /usr/java/jre1.7.0_67/bin/java',
+      },
+    )
+    }
     it { is_expected.to contain_exec('update-java-alternatives').with_command(['alternatives', '--set', 'java', '/usr/java/jre1.7.0_67/bin/java']) }
   end
 
+  context 'when select Malicious JRE with alternatives for CentOS 6.3' do
+    let(:facts) { { os: { family: 'RedHat', name: 'CentOS', release: { full: '6.3' }, architecture: 'x86_64' } } }
+    let(:params) { { 'package' => 'jre', 'java_alternative' => '/usr/bin/java', 'java_alternative_path' => '/usr/java ; rm -rf /etc' } }
+
+    it { is_expected.to contain_exec('create-java-alternatives').with_unless('alternatives --display java | grep -q /usr/java\\ \\;\\ rm\\ -rf\\ /etc') }
+  end
+
   context 'when select passed value for CentOS 5.3' do
     let(:facts) { { os: { family: 'RedHat', name: 'CentOS', release: { full: '5.3' }, architecture: 'x86_64' } } }
     let(:params) { { 'package' => 'jdk', 'java_home' => '/usr/local/lib/jre' } }

Original file line number	Diff line number	Diff line change
`@@ -26,12 +26,12 @@`
`26`	`26`	`# For the stanard packages java::params needs these added.`
`27`	`27`	`if $java::use_java_package_name != $java::default_package_name {`
`28`	`28`	`$command_redhat = ['alternatives', '--install', '/usr/bin/java', 'java', $java::use_java_alternative_path, '20000']`
`29`		`- $unless_redhat = "alternatives --display java \| grep -q ${java::use_java_alternative_path}"`
	`29`	`+ $unless_redhat = "alternatives --display java \| grep -q ${shell_escape($java::use_java_alternative_path)}"`
`30`	`30`
`31`	`31`	`exec { 'create-java-alternatives':`
`32`	`32`	`path => '/usr/bin:/usr/sbin:/bin:/sbin',`
`33`	`33`	`command => $command_redhat,`
`34`		`- unless => shell_escape($unless_redhat),`
	`34`	`+ unless => $unless_redhat,`
`35`	`35`	`before => Exec['update-java-alternatives'],`
`36`	`36`	`}`
`37`	`37`	`}`