search

NagiosEnterprises / ncpa

Nagios Cross-Platform Agent
Other
176 stars 95 forks source link

Unquoted variables in Bash scripts #1045

Open pittagurneyi opened 7 months ago

pittagurneyi commented 7 months ago

All unquoted variables in the .sh scripts are subject to Word Splitting, Pathname Expansion, etc. by bash, making these statements very risky:

$ find . -name '*.sh' -exec grep 'rm ' {} + | grep '\$'
./build/solaris/setup.sh:    rm -rf $PYTHONTAR
./build/solaris/package.sh:rm -rf $DIR/pkginfo.tmp
./build/resources/macosuninstall.sh:        rm -rf $homedir
./build/resources/macosinstall.sh:    rm -rf ${homedir}/etc
./build/linux/package.sh:        rm -r $BUILD_RPM_DIR
./build/linux/package.sh:    rm -f $BUILD_RPM_DIR/SPECS/ncpa.spec
./build/linux/installers.sh:        rm -rf zlib-$zLib_new_version
./build/linux/installers.sh:        rm -rf openssl-$ssl_new_version
./build/linux/installers.sh:    #rm -rf $pythontar
./build/build_github.sh:rm -rf $BUILD_DIR/ncpa
./build/build_github.sh:rm -f $BUILD_DIR/ncpa/libffi-*.so.*
./build/build_github.sh:# rm -rf ncpa-$NCPA_VER
./build/build.sh:    sudo rm -rf $BUILD_DIR/ncpa-*
./build/build.sh:    sudo rm -rf $AGENT_DIR/build
./build/build.sh:    sudo rm -rf $BUILD_DIR/NCPA-INSTALL-*
./build/build.sh:    sudo rm -f $BUILD_DIR/*.rpm $BUILD_DIR/*.dmg $BUILD_DIR/*.deb
./build/build.sh:    sudo rm -f $BUILD_DIR/ncpa.spec
./build/build.sh:    sudo rm -f $BUILD_DIR/*.tar.gz
./build/build.sh:    sudo rm -rf $BUILD_ROOT
./build/build.sh:    sudo rm -rf $BUILD_DIR/debbuild
./build/build.sh:find $AGENT_DIR -name *.pyc -exec rm '{}' \;
./build/build.sh:    sudo rm -rf $BUILD_DIR/ncpa
./build/build.sh:    sudo rm -f $BUILD_DIR/ncpa/libffi-*.so.*
./build/build.sh:    sudo rm -rf ncpa-$NCPA_VER
./build/aix/package.sh:    rm -f $BUILD_RPM_DIR/SPECS/ncpa.spec

Should for whatever reason $BUILD_DIR expand to ... / ..., then this runs sudo rm -rf /, as rm just ignores missing directories/files it is supplied with and operates on each argument, i.e. file/directory.

Given that BUILD_DIR is constructed from the path of the script location, it becomes interesting the moment the user unpacks the archive into a path that contains a space or some other fun characters.

BUILD_DIR=$(dirname "$(readlink -f "$0")")
sudo rm -rf $BUILD_DIR/ncpa-*

What it should look like is this:

BUILD_DIR="$(dirname -- "$(readlink -f -- "$0")")"
sudo rm -rf -- "$BUILD_DIR"/ncpa-*

Reading material:

Here is another one:

NCPA_VER=$(cat $BUILD_DIR/../VERSION)
# fixed:
NCPA_VER="$(<"$BUILD_DIR"/../VERSION)"

Also fun:

sudo mkdir -p $AGENT_DIR/plugins
# fixed:
sudo mkdir -p -- "$AGENT_DIR"/plugins

It would create the plugins directory in all the locations $AGENT_DIR would be split into, because it is not quoted. Since -p is used, it will not even fail if the parent directory does not yet exist and create it as well.

For the time being I won't be running these scripts on anything other than a fresh virtual machine that isn't used for anything else.

Sadly I don't have the time to fix it all as I'm quite busy at the moment.