From cdaa8393e3fe9b8f971945ee8cb1f3e933902a0d Mon Sep 17 00:00:00 2001
From: Craig Gumbley <craiggumbley@gmail.com>
Date: Fri, 19 Aug 2022 11:16:20 +0000
Subject: [PATCH] Harden service class

Prior to this commit the variable `mysqlsocket` was passed to the `exec` resource
in such a way that could allow unsafe executions on the remote host.

This commit fixes the above by properly parameterizing the arguments passed
to the `command` and `unless` parameters of the `exec` resource.

The variable is also wrapped with a `shell_escape` for good measure.
---
 manifests/server/service.pp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/manifests/server/service.pp b/manifests/server/service.pp
index 8803027ba..51da0a7ac 100644
--- a/manifests/server/service.pp
+++ b/manifests/server/service.pp
@@ -52,10 +52,11 @@
       $mysqlsocket = $options['mysqld']['socket']
     }
 
+    $test_command = ['test', '-S', shell_escape($mysqlsocket)]
     if $service_ensure != 'stopped' {
       exec { 'wait_for_mysql_socket_to_open':
-        command   => "test -S ${mysqlsocket}",
-        unless    => "test -S ${mysqlsocket}",
+        command   => $test_command,
+        unless    => [$test_command],
         tries     => '3',
         try_sleep => '10',
         require   => Service['mysqld'],