ENT-13535: Added packages promiser sanitation by larsewi · Pull Request #5967 · cfengine/core

+     *     #      Comment character, can truncate commands
+     *     \n \r  Newlines can inject additional commands
+     */
+    const char *shell_metacharacters = ";|&`$(){}[]<>!#*?~\\'\"\n\r";


@olehermanse maybe this is too strict?

Ah, I do think the tilde is likely too strict and needed for some package names. I remember @nickanderson mentioning it I think. I checked OpenBSD and Debian and your list seems fine for those based on a simple package name search, but not on the other ways to specify package names with meta information maybe like versions and such.

Maybe a better way here is to have a default in C code that is maybe too strict and add a common attribute that can override that default so folks can make a choice without changing C code.

Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

I also refactored the code to use a dynamic buffer when assembling the commands. Estimating the buffer size needed is error prone and can quickly lead to buffer overflows. Ticket: ENT-13535 Changelog: Title Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

larsewi · 2025-12-04T13:56:00Z

@cf-bottom Jenkins please :)

cf-bottom · 2025-12-04T14:00:02Z

Alright, I triggered a build:

Jenkins: https://ci.cfengine.com/job/pr-pipeline/13120/

Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-13120/

craigcomstock · 2025-12-04T20:50:53Z

@larsewi regarding the CI failure, a small fix might fix it: #5981 (I couldn't push to the PR so a separate temporary PR is there with a VERY tiny fix. :) )

… quoting arguments Ticket: ENT-13535 Changelog: none (cherry picked from commit 6f97d0a)

larsewi · 2025-12-05T20:41:51Z

@cf-bottom Jenkins please :)

cf-bottom · 2025-12-05T20:45:09Z

Alright, I triggered a build:

Jenkins: https://ci.cfengine.com/job/pr-pipeline/13149/

Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-13149/

larsewi marked this pull request as ready for review November 28, 2025 15:00

larsewi commented Nov 29, 2025

View reviewed changes

tests/acceptance/07_packages/packages_command.cf Outdated Show resolved Hide resolved

larsewi requested review from craigcomstock and olehermanse November 29, 2025 11:50

craigcomstock approved these changes Dec 1, 2025

View reviewed changes

larsewi commented Dec 2, 2025

View reviewed changes

larsewi force-pushed the packages branch from 53e4c66 to e865642 Compare December 2, 2025 09:13

This was referenced Dec 2, 2025

ENT-13535: Added packages promiser sanitation (3.24.x) #5973

Merged

ENT-13535: Added packages promiser sanitation (3.21.x) #5974

Merged

Constified command argument in ExecPackageCommand()

ef1f52a

Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

larsewi force-pushed the packages branch from e865642 to 61ff0f6 Compare December 4, 2025 12:51

larsewi force-pushed the packages branch from 61ff0f6 to aaf314a Compare December 4, 2025 13:54

craigcomstock approved these changes Dec 4, 2025

View reviewed changes

Fixed package related acceptance test for Windows platform related to…

1cfd89e

… quoting arguments Ticket: ENT-13535 Changelog: none (cherry picked from commit 6f97d0a)

larsewi force-pushed the packages branch from becdba7 to 1cfd89e Compare December 5, 2025 18:47

craigcomstock mentioned this pull request Dec 5, 2025

ent 13535/master #5981

Closed

larsewi merged commit 9525710 into cfengine:master Dec 7, 2025
12 checks passed

Conversation

larsewi commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

larsewi commented Nov 28, 2025

Uh oh!

cf-bottom commented Nov 28, 2025

Uh oh!

Uh oh!

larsewi commented Nov 29, 2025

Uh oh!

cf-bottom commented Nov 29, 2025

Uh oh!

larsewi commented Dec 1, 2025 • edited by atlassian bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

craigcomstock left a comment

Choose a reason for hiding this comment

Uh oh!

larsewi Dec 2, 2025

Choose a reason for hiding this comment

Uh oh!

craigcomstock Dec 2, 2025

Choose a reason for hiding this comment

Uh oh!

larsewi commented Dec 4, 2025

Uh oh!

cf-bottom commented Dec 4, 2025

Uh oh!

craigcomstock commented Dec 4, 2025

Uh oh!

larsewi commented Dec 5, 2025

Uh oh!

cf-bottom commented Dec 5, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

larsewi commented Nov 28, 2025 •

edited

Loading

larsewi commented Dec 1, 2025 •

edited by atlassian bot

Loading