bastille
bastille copied to clipboard
BastilleBSD
[BUG] Ampersand mangled when used in an ARG
[MANDATORY] Describe the bug [MANDATORY]
When a Bastillefile template receives an ARG value with an ampersand (&) it is mangled down the line by sed(1) because it it not escaped and cannot be escaped.
[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)
0.8.20210115
12.2-STABLE
12.2-STABLE
12.2-STABLE
[MANDATORY] How did you install bastille? (port/pkg/git) ports
[optional] Steps to reproduce? Call a template:
bastille template deblndw013x3j ldadw/base-complete --arg ROOT_FULLNAME="Michael '&' Osipov" ...
template ldadw/base-complete:
ARG ROOT_FULLNAME
...
INCLUDE ldadw/root-config --arg ROOT_FULLNAME="${ROOT_FULLNAME}" ...
template ldadw/root-config:
ARG ROOT_FULLNAME
...
CMD pw usermod root -c "${ROOT_FULLNAME}"
Running Bastille with -x shows:
+ sed -e 's/${JAIL_IP}//g' -e 's/${JAIL_NAME}/deblndw013x3j/g' -e $'s/${ROOT_FULLNAME}/Michael \'&\' Osipov/g' -e 's/${AUTHORIZED_KEYS}/\/tmp\/authorized_keys/g' -e 's/${K5LOGIN}/\/tmp\/k5login/g' -e 's/${FORWARD}/\/tmp\/forward/g' -e 's/${INSTALL_SOFTWARE_FROM}/packages/g'
+ _args=$'ldadw/root-config --arg ROOT_FULLNAME="Michael \'${ROOT_FULLNAME}\' Osipov" --arg AUTHORIZED_KEYS="/tmp/authorized_keys" --arg K5LOGIN="/tmp/k5login" --arg FORWARD="/tmp/forward"'
+ _cmd=template
+ eval $'bastille template deblndw013x3j ldadw/root-config --arg ROOT_FULLNAME="Michael \'${ROOT_FULLNAME}\' Osipov" --arg AUTHORIZED_KEYS="/tmp/authorized_keys" --arg K5LOGIN="/tmp/k5login" --arg FORWARD="/tmp/forward"'
+ bastille template deblndw013x3j ldadw/root-config --arg $'ROOT_FULLNAME=Michael \'\' Osipov' --arg 'AUTHORIZED_KEYS=/tmp/authorized_keys' --arg 'K5LOGIN=/tmp/k5login' --arg 'FORWARD=/tmp/forward'
manpage says:
An ampersand (“&”) appearing in the replacement is replaced by
the string matching the RE. The special meaning of “&” in this
context can be suppressed by preceding it by a backslash. The
string “\#”, where “#” is a digit, is replaced by the text
matched by the corresponding backreference expression (see
re_format(7)).
So I tried it, same result:
+ echo 'INCLUDE ldadw/root-config --arg ROOT_FULLNAME="${ROOT_FULLNAME}" --arg AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" --arg K5LOGIN="${K5LOGIN}" --arg FORWARD="${FORWARD}"'
+ awk '{$1=""; sub(/^ */, ""); print;}'
+ eval $'sed -e \'s/${JAIL_IP}//g\' -e \'s/${JAIL_NAME}/deblndw013x3j/g\' -e \'s/${ROOT_FULLNAME}/Michael \'\\\'\'\\\\&\'\\\'\' Osipov/g\' -e \'s/${AUTHORIZED_KEYS}/\\/tmp\\/authorized_keys/g\' -e \'s/${K5LOGIN}/\\/tmp\\/k5login/g\' -e \'s/${FORWARD}/\\/tmp\\/forward/g\' -e \'s/${INSTALL_SOFTWARE_FROM}/packages/g\''
+ sed -e 's/${JAIL_IP}//g' -e 's/${JAIL_NAME}/deblndw013x3j/g' -e $'s/${ROOT_FULLNAME}/Michael \'\\\\&\' Osipov/g' -e 's/${AUTHORIZED_KEYS}/\/tmp\/authorized_keys/g' -e 's/${K5LOGIN}/\/tmp\/k5login/g' -e 's/${FORWARD}/\/tmp\/forward/g' -e 's/${INSTALL_SOFTWARE_FROM}/packages/g'
+ _args=$'ldadw/root-config --arg ROOT_FULLNAME="Michael \'\\${ROOT_FULLNAME}\' Osipov" --arg AUTHORIZED_KEYS="/tmp/authorized_keys" --arg K5LOGIN="/tmp/k5login" --arg FORWARD="/tmp/forward"'
+ _cmd=template
+ eval $'bastille template deblndw013x3j ldadw/root-config --arg ROOT_FULLNAME="Michael \'\\${ROOT_FULLNAME}\' Osipov" --arg AUTHORIZED_KEYS="/tmp/authorized_keys" --arg K5LOGIN="/tmp/k5login" --arg FORWARD="/tmp/forward"'
+ bastille template deblndw013x3j ldadw/root-config --arg $'ROOT_FULLNAME=Michael \'${ROOT_FULLNAME}\' Osipov' --arg 'AUTHORIZED_KEYS=/tmp/authorized_keys' --arg 'K5LOGIN=/tmp/k5login' --arg 'FORWARD=/tmp/forward'
[optional] Expected behavior
The arg value to be passed as-is or escape chars for sed(1) to be respected.
[optional] Additional context Add any other context about the problem here.
Doesn't look to be fixed. Here is a sample Bastillefile to reproduce it:
ARG NAME
CMD echo "My name is $NAME" > /root/my-name
CMD cat /root/my-name
Running it has the following result:
# sudo bastille template foo samples/foo --arg NAME="Me '&' You"
[foo]:
Applying template: samples/foo...
[foo]:
[foo]: 0
[foo]:
My name is
[foo]: 0
Template applied: succont/foo
