> On Feb 27, 2017, at 9:59 AM, David Schmitt <david.schm...@puppet.com> wrote:
>
> Commands
>
> To use CLI commands in a safe and comfortable manner, the implementation can
> use the commands method to access shell commands. You can either use a full
> path, or a bare command name. In the latter case puppet will use the system
> PATH setting to search for the command. If the commands are not available, an
> error will be raised and the resources will fail in this run. The commands
> are aware of whether noop is in effect or not, and will skip the actual
> execution if necessary.
>
> Puppet::ResourceImplementation.register('apt_key') do
> commands apt_key: '/usr/bin/apt-key'
> commands gpg: 'gpg'
> This will create methods called apt_get, and gpg, which will take CLI
> arguments without any escaping, and run them in a safe environment (clean
> working directory, clean environment). For example to call apt-key to delete
> a specific key by id:
>
If the goal here is safe execution shouldn’t it escape at least shell special
characters? My concern is based on some of the providers I work on which take
free form strings as arguments and any type that doesn’t fully validate or
munge inputs.
There is a risk that any provider* today can suffer from shell command
injection. It seems that using shelljoin on the argument array would be useful
or shellesacpe on each element. However, for a simplified API it seems that it
could be done more centrally here instead of pushing it to each implementation
to make sure it is done if needed.
* That can’t exclude shell characters and doesn’t munge input to escape them.
Thanks
Shawn
> apt_key 'del', key_id
> By default the stdout of the command is logged to debug, while the stderr is
> logged to warning. To access the stdout in the implementation, use the
> command name with _lines appended, and process it through the returned
> Enumerable <http://ruby-doc.org/core/Enumerable.html> line-by-line. For
> example, to process the list of all apt keys:
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/D0519A28-5F3E-4049-9351-B5C260823B2E%40oracle.com.
For more options, visit https://groups.google.com/d/optout.
