Merge pull request #1050 from puppetlabs/cve_release

5.2.1 mergeback

Author: eputnam

CHANGELOG.md

@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org).
 
+## Supported Release [5.2.1]
+### Summary
+This release fixes CVE-2018-6508 which is a potential arbitrary code execution via tasks.
+
+### Fixed
+- Fix export and mysql tasks for arbitrary remote code
+
 ## Supported Release [5.2.0]
 
 ### Added

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-mysql",
-  "version": "5.2.0",
+  "version": "5.2.1",
   "author": "Puppet Labs",
   "summary": "Installs, configures, and manages the MySQL service.",
   "license": "Apache-2.0",

tasks/sql.rb

@@ -4,11 +4,11 @@
 require 'puppet'
 
 def get(sql, database, user, password)
-  cmd_string = "mysql -e \"#{sql}\""
-  cmd_string << " --database=#{database}" unless database.nil?
-  cmd_string << " --user=#{user}" unless user.nil?
-  cmd_string << " --password=#{password}" unless password.nil?
-  stdout, _stderr, status = Open3.capture3(cmd_string)
+  cmd = ['mysql', '-e', "#{sql} "]
+  cmd << "--database=#{database}" unless database.nil?
+  cmd << "--user=#{user}" unless user.nil?
+  cmd << "--password=#{password}" unless password.nil?
+  stdout, stderr, status = Open3.capture3(*cmd) # rubocop:disable Lint/UselessAssignment
   raise Puppet::Error, _("stderr: ' %{stderr}') % { stderr: stderr }") if status != 0
   { status: stdout.strip }
 end