(maint) Codebase Hardening

david22swan · david22swan · commit 419078920b03 · 2022-09-23T09:27:23.000+01:00
Changes made to ensure that no malformed commands are passed through to the system.
diff --git a/manifests/custom_config.pp b/manifests/custom_config.pp
@@ -115,9 +115,10 @@
       require     => Anchor['::apache::modules_set_up'],
     }
 
+    $remove_command = ['/bin/rm', shell_escape(join([$confdir, $_filename], '/'))]
     exec { "remove ${name} if invalid":
-      command     => "/bin/rm ${confdir}/${_filename}",
-      unless      => $verify_command,
+      command     => $remove_command,
+      unless      => [$verify_command],
       subscribe   => File["apache_${name}"],
       refreshonly => true,
     }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -635,7 +635,9 @@
     path => '/bin:/sbin:/usr/bin:/usr/sbin',
   }
 
+  $confd_command = ['mkdir', $confd_dir]
   exec { "mkdir ${confd_dir}":
+    command => $confd_command,
     creates => $confd_dir,
     require => Package['httpd'],
   }
@@ -660,7 +662,9 @@
   }
 
   if ! defined(File[$mod_dir]) {
+    $mod_command = ['mkdir', $mod_dir]
     exec { "mkdir ${mod_dir}":
+      command => $mod_command,
       creates => $mod_dir,
       require => Package['httpd'],
     }
@@ -678,7 +682,9 @@
 
   if $mod_enable_dir and ! defined(File[$mod_enable_dir]) {
     $mod_load_dir = $mod_enable_dir
+    $mod_enable_command = ['mkdir', $mod_enable_dir]
     exec { "mkdir ${mod_enable_dir}":
+      command => $mod_enable_command,
       creates => $mod_enable_dir,
       require => Package['httpd'],
     }
@@ -694,7 +700,9 @@
   }
 
   if ! defined(File[$vhost_dir]) {
+    $vhost_command = ['mkdir', $vhost_dir]
     exec { "mkdir ${vhost_dir}":
+      command => $vhost_command,
       creates => $vhost_dir,
       require => Package['httpd'],
     }
@@ -709,7 +717,9 @@
 
   if $vhost_enable_dir and ! defined(File[$vhost_enable_dir]) and $manage_vhost_enable_dir {
     $vhost_load_dir = $vhost_enable_dir
+    $vhost_load_command = ['mkdir', $vhost_load_dir]
     exec { "mkdir ${vhost_load_dir}":
+      command => $vhost_load_command,
       creates => $vhost_load_dir,
       require => Package['httpd'],
     }
diff --git a/manifests/mpm/disable_mpm_event.pp b/manifests/mpm/disable_mpm_event.pp
@@ -1,19 +1,28 @@
 # @summary disable Apache-Module event
 class apache::mpm::disable_mpm_event {
+  $event_command = ['/usr/sbin/a2dismod', 'event']
+  $event_onlyif = ['/usr/bin/test', '-e', shell_escape(join([$apache::mod_enable_dir, 'event.load'],'/'))]
   exec { '/usr/sbin/a2dismod event':
-    onlyif  => "/usr/bin/test -e ${apache::mod_enable_dir}/event.load",
+    command => $event_command,
+    onlyif  => $event_onlyif,
     require => Package['httpd'],
     before  => Class['apache::service'],
   }
+
+  $event_load_command = ['/bin/rm', shell_escape(join([$apache::mod_enable_dir, 'event_event.load'],'/'))]
+  $event_load_onlyif = ['/usr/bin/test', '-e', shell_escape(join([$apache::mod_enable_dir, 'event_event.load'],'/'))]
   exec { 'remove distribution event load file':
-    command => "/bin/rm ${apache::mod_enable_dir}/mpm_event.load",
-    onlyif  => "/usr/bin/test -e ${apache::mod_enable_dir}/mpm_event.load",
+    command => $event_load_command,
+    onlyif  => $event_load_onlyif,
     require => Package['httpd'],
     before  => Class['apache::service'],
   }
+
+  $event_conf_command = ['/bin/rm', shell_escape(join([$apache::mod_enable_dir, 'event_event.conf'],'/'))]
+  $event_conf_onlyif = ['/usr/bin/test', '-e', shell_escape(join([$apache::mod_enable_dir, 'event_event.conf'],'/'))]
   exec { 'remove distribution event conf file':
-    command => "/bin/rm ${apache::mod_enable_dir}/mpm_event.conf",
-    onlyif  => "/usr/bin/test -e ${apache::mod_enable_dir}/mpm_event.conf",
+    command => $event_conf_command,
+    onlyif  => $event_conf_onlyif,
     require => Package['httpd'],
     before  => Class['apache::service'],
   }
diff --git a/manifests/mpm/disable_mpm_prefork.pp b/manifests/mpm/disable_mpm_prefork.pp
@@ -1,7 +1,10 @@
 # @summary disable Apache-Module prefork
 class apache::mpm::disable_mpm_prefork {
+  $prefork_command = ['/usr/sbin/a2dismod', 'prefork']
+  $prefork_onlyif = ['/usr/bin/test', '-e', shell_escape(join([$apache::mod_enable_dir, 'prefork.load'],'/'))]
   exec { '/usr/sbin/a2dismod prefork':
-    onlyif  => "/usr/bin/test -e ${apache::mod_enable_dir}/prefork.load",
+    command => $prefork_command,
+    onlyif  => $prefork_onlyif,
     require => Package['httpd'],
     before  => Class['apache::service'],
   }
diff --git a/manifests/mpm/disable_mpm_worker.pp b/manifests/mpm/disable_mpm_worker.pp
@@ -1,7 +1,10 @@
 # @summary disable Apache-Module worker
 class apache::mpm::disable_mpm_worker {
+  $worker_command = ['/usr/sbin/a2dismod', 'worker']
+  $worker_onlyif = ['/usr/bin/test', '-e', shell_escape(join([$apache::mod_enable_dir, 'worker.load'],'/'))]
   exec { '/usr/sbin/a2dismod worker':
-    onlyif  => "/usr/bin/test -e ${apache::mod_enable_dir}/worker.load",
+    command => $worker_command,
+    onlyif  => $worker_onlyif,
     require => Package['httpd'],
     before  => Class['apache::service'],
   }

Original file line number	Diff line number	Diff line change
`@@ -115,9 +115,10 @@`
`115`	`115`	`require => Anchor['::apache::modules_set_up'],`
`116`	`116`	`}`
`117`	`117`
	`118`	`+ $remove_command = ['/bin/rm', shell_escape(join([$confdir, $_filename], '/'))]`
`118`	`119`	`exec { "remove ${name} if invalid":`
`119`		`- command => "/bin/rm ${confdir}/${_filename}",`
`120`		`- unless => $verify_command,`
	`120`	`+ command => $remove_command,`
	`121`	`+ unless => [$verify_command],`
`121`	`122`	`subscribe => File["apache_${name}"],`
`122`	`123`	`refreshonly => true,`
`123`	`124`	`}`
Original file line number	Diff line number	Diff line change
`@@ -635,7 +635,9 @@`
`635`	`635`	`path => '/bin:/sbin:/usr/bin:/usr/sbin',`
`636`	`636`	`}`
`637`	`637`
	`638`	`+ $confd_command = ['mkdir', $confd_dir]`
`638`	`639`	`exec { "mkdir ${confd_dir}":`
	`640`	`+ command => $confd_command,`
`639`	`641`	`creates => $confd_dir,`
`640`	`642`	`require => Package['httpd'],`
`641`	`643`	`}`
`@@ -660,7 +662,9 @@`
`660`	`662`	`}`
`661`	`663`
`662`	`664`	`if ! defined(File[$mod_dir]) {`
	`665`	`+ $mod_command = ['mkdir', $mod_dir]`
`663`	`666`	`exec { "mkdir ${mod_dir}":`
	`667`	`+ command => $mod_command,`
`664`	`668`	`creates => $mod_dir,`
`665`	`669`	`require => Package['httpd'],`
`666`	`670`	`}`
`@@ -678,7 +682,9 @@`
`678`	`682`
`679`	`683`	`if $mod_enable_dir and ! defined(File[$mod_enable_dir]) {`
`680`	`684`	`$mod_load_dir = $mod_enable_dir`
	`685`	`+ $mod_enable_command = ['mkdir', $mod_enable_dir]`
`681`	`686`	`exec { "mkdir ${mod_enable_dir}":`
	`687`	`+ command => $mod_enable_command,`
`682`	`688`	`creates => $mod_enable_dir,`
`683`	`689`	`require => Package['httpd'],`
`684`	`690`	`}`
`@@ -694,7 +700,9 @@`
`694`	`700`	`}`
`695`	`701`
`696`	`702`	`if ! defined(File[$vhost_dir]) {`
	`703`	`+ $vhost_command = ['mkdir', $vhost_dir]`
`697`	`704`	`exec { "mkdir ${vhost_dir}":`
	`705`	`+ command => $vhost_command,`
`698`	`706`	`creates => $vhost_dir,`
`699`	`707`	`require => Package['httpd'],`
`700`	`708`	`}`
`@@ -709,7 +717,9 @@`
`709`	`717`
`710`	`718`	`if $vhost_enable_dir and ! defined(File[$vhost_enable_dir]) and $manage_vhost_enable_dir {`
`711`	`719`	`$vhost_load_dir = $vhost_enable_dir`
	`720`	`+ $vhost_load_command = ['mkdir', $vhost_load_dir]`
`712`	`721`	`exec { "mkdir ${vhost_load_dir}":`
	`722`	`+ command => $vhost_load_command,`
`713`	`723`	`creates => $vhost_load_dir,`
`714`	`724`	`require => Package['httpd'],`
`715`	`725`	`}`