From 1c1291d27883fc41eab666eb65f3c85071d6c696 Mon Sep 17 00:00:00 2001
From: Craig Gumbley <craiggumbley@gmail.com>
Date: Fri, 19 Aug 2022 11:29:31 +0000
Subject: [PATCH] Harden config class

Prior to this commit the variables `dir` and `mysql::server::package_name`
were passed to `exec` resources in such a way that could allow unsafe executions
on the remote host.

This commit fixes the above by properly parameterizing the arguments passed to each
`exec` resource.

Additionally the variables been sanitized with `shell_escape` for good measure.
---
 manifests/server/config.pp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index 0b8bb947c..6827d085a 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -39,14 +39,19 @@
       if $managed_dirs {
         $managed_dirs.each | $entry | {
           $dir = $options['mysqld']["${entry}"]
+
           if ( $dir and $dir != '/usr' and $dir != '/tmp' ) {
+            $clean_dir = shell_escape($dir)
+            $clean_package_name = shell_escape($mysql::server::package_name)
+
             exec { "${entry}-managed_dir-mkdir":
-              command => "/bin/mkdir -p ${dir}",
-              unless  => "/usr/bin/dpkg -s ${mysql::server::package_name}",
+              command => ['/bin/mkdir', '-p', $clean_dir],
+              unless  => [['/usr/bin/dpkg', '-s', $clean_package_name]],
               notify  => Exec["${entry}-managed_dir-chmod"],
             }
+
             exec { "${entry}-managed_dir-chmod":
-              command     => "/bin/chmod 777 ${dir}",
+              command     => ['/bin/chmod', '777', $clean_dir],
               refreshonly => true,
             }
           }