Bug 1165754

Summary: Backticks in test descriptions cause troubles
Product: [Retired] Beaker Reporter: Martin Frodl <mfrodl>
Component: command lineAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 0.18CC: aigao, asaha, dcallagh, dowang
Target Milestone: 19.1Keywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-17 08:40:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Frodl 2014-11-19 15:41:02 UTC 
Description of problem:

By default, beaker-wizard derives test description from the summary of the linked bug if such is provided via the -b switch. This can be dangerous if the summary contains certain characters or character sequences which cause parts of the description to be evaluated as shell commands. Consider the following fictitious bug:

Bug 1234567 - I ran `rm -rf ~` and everything's gone suddenly

When you create a test for this bug using 'beaker-wizard -b 1234567', the following line finds its way to Makefile:

        @echo "Description:     I ran `rm -rf ~` and everything's gone suddenly" >> $(METADATA)

And once 'make bkradd' is run, the 'rm -rf ~' command is indeed executed, indiscriminately erasing whatever it runs into.

In addition, if only a single backtick is present in the bug's summary (e.g. bug 1131006), make fails to generate the RPM altogether, complaining about syntax error:

/bin/sh: -c: line 0: unexpected EOF while looking for matching ``'
/bin/sh: -c: line 1: syntax error: unexpected end of file
make[1]: *** [testinfo.desc] Error 1
make[1]: Leaving directory `/tmp/rhts-build-syjacMYR/extract-for-metadata'
make: *** [bkradd] Error 2


Would it be possible to prevent such troubles in one way or another, e.g. by replacing backticks with apostrophes automatically and perhaps something similar with the equivalent $(...) constructions?
Comment 1 Martin Frodl 2014-11-19 15:45:47 UTC 
My bad, the quoted line from Makefile would look more like this:

        @echo "Description:     Test for BZ#1234567 (I ran `rm -rf ~` and everything's gone suddenly)" >> $(METADATA)

Nevertheless, this does not change the point of this bug in the slightest.
Comment 2 Dan Callaghan 2014-11-20 00:36:34 UTC 
beaker-wizard really needs to do shell escaping on the values that it spits out into echo statements.
Comment 3 Nick Coghlan 2014-11-20 05:29:20 UTC 
Agreed, and I think we should fix that ASAP.
Comment 4 Dan Callaghan 2014-11-24 02:34:32 UTC 
According to <http://www.gnu.org/software/bash/manual/bashref.html#Double-Quotes> the characters with special meaning inside double-quotes are: $ ` \ ! "

I would prefer to escape those ones and leave the value in double-quotes, as opposed to just using pipes.quote. The output of pipes.quote is not very pretty (single-quoted, with ' quoted as '"'"') and is not amenable to adding parameter substitutions by hand later if desired.
Comment 5 Dan Callaghan 2014-11-24 03:02:22 UTC 
http://gerrit.beaker-project.org/3507
Comment 8 Dan Callaghan 2014-12-17 08:40:21 UTC 
Beaker 19.1 is released.