Harden root_password class

chelnak · chelnak · commit 90168d93834f · 2022-08-23T10:40:18.000Z
Prior to this commit there was a possibility that malformed
strings could be passed in to the resource. This could lead
to unsafe executions on a remote system.

The parameters that are susceptible are `install_secret_file`.

This commit fixes the above by adding validation to ensure the given
values confirm to expectation.

`secret_file` is validated with a regular expression that ensures the
given value is a valid path.
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -9,7 +9,6 @@
   $purge_conf_dir         = false
   $restart                = false
   $root_password          = 'UNSET'
-  $install_secret_file    = '/.mysql_secret'
   $server_package_ensure  = 'present'
   $server_package_manage  = true
   $server_service_manage  = true
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -17,8 +17,6 @@
 #   The location, as a path, of !includedir for custom configuration overrides.
 # @param install_options
 #   Passes [install_options](https://docs.puppetlabs.com/references/latest/type.html#package-attribute-install_options) array to managed package resources. You must pass the appropriate options for the specified package manager
-# @param install_secret_file
-#   Path to secret file containing temporary root password.
 # @param manage_config_file
 #   Whether the MySQL configuration file should be managed. Valid values are `true`, `false`. Defaults to `true`.
 # @param options
@@ -81,7 +79,6 @@
   $config_file_mode        = $mysql::params::config_file_mode,
   $includedir              = $mysql::params::includedir,
   $install_options         = undef,
-  $install_secret_file     = $mysql::params::install_secret_file,
   $manage_config_file      = $mysql::params::manage_config_file,
   Mysql::Options  $options                 = {},
   $override_options        = {},
diff --git a/manifests/server/root_password.pp b/manifests/server/root_password.pp
@@ -16,20 +16,15 @@
   }
 
   $options = $mysql::server::_options
-  $secret_file = $mysql::server::install_secret_file
   $login_file = $mysql::server::login_file
 
   # New installations of MySQL will configure a default random password for the root user
   # with an expiration. No actions can be performed until this password is changed. The
   # below exec will remove this default password. If the user has supplied a root
   # password it will be set further down with the mysql_user resource.
-  $rm_pass_cmd = join([
-      "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' ${secret_file}) password ''",
-      "rm -f ${secret_file}",
-  ], ' && ')
   exec { 'remove install pass':
-    command => $rm_pass_cmd,
-    onlyif  => "test -f ${secret_file}",
+    command => "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' /.mysql_secret) password && (rm -f  /.mysql_secret; exit 0) || (rm -f /.mysql_secret; exit 1)",
+    onlyif  => [['test', '-f' ,'/.mysql_secret']],
     path    => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin',
   }
 
diff --git a/pdk.yaml b/pdk.yaml
@@ -0,0 +1,2 @@
+---
+ignore: []
