Bug 1165754 - Backticks in test descriptions cause troubles
Summary: Backticks in test descriptions cause troubles
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: command line
Version: 0.18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: 19.1
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-19 15:41 UTC by Martin Frodl
Modified: 2018-02-06 00:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-17 08:40:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Martin Frodl 2014-11-19 15:41:02 UTC 
Description of problem:

By default, beaker-wizard derives test description from the summary of the linked bug if such is provided via the -b switch. This can be dangerous if the summary contains certain characters or character sequences which cause parts of the description to be evaluated as shell commands. Consider the following fictitious bug:

Bug 1234567 - I ran `rm -rf ~` and everything's gone suddenly

When you create a test for this bug using 'beaker-wizard -b 1234567', the following line finds its way to Makefile:

        @echo "Description:     I ran `rm -rf ~` and everything's gone suddenly" >> $(METADATA)

And once 'make bkradd' is run, the 'rm -rf ~' command is indeed executed, indiscriminately erasing whatever it runs into.

In addition, if only a single backtick is present in the bug's summary (e.g. bug 1131006), make fails to generate the RPM altogether, complaining about syntax error:

/bin/sh: -c: line 0: unexpected EOF while looking for matching ``'
/bin/sh: -c: line 1: syntax error: unexpected end of file
make[1]: *** [testinfo.desc] Error 1
make[1]: Leaving directory `/tmp/rhts-build-syjacMYR/extract-for-metadata'
make: *** [bkradd] Error 2


Would it be possible to prevent such troubles in one way or another, e.g. by replacing backticks with apostrophes automatically and perhaps something similar with the equivalent $(...) constructions?
Comment 1 Martin Frodl 2014-11-19 15:45:47 UTC 
My bad, the quoted line from Makefile would look more like this:

        @echo "Description:     Test for BZ#1234567 (I ran `rm -rf ~` and everything's gone suddenly)" >> $(METADATA)

Nevertheless, this does not change the point of this bug in the slightest.
Comment 2 Dan Callaghan 2014-11-20 00:36:34 UTC 
beaker-wizard really needs to do shell escaping on the values that it spits out into echo statements.
Comment 3 Nick Coghlan 2014-11-20 05:29:20 UTC 
Agreed, and I think we should fix that ASAP.
Comment 4 Dan Callaghan 2014-11-24 02:34:32 UTC 
According to <http://www.gnu.org/software/bash/manual/bashref.html#Double-Quotes> the characters with special meaning inside double-quotes are: $ ` \ ! "

I would prefer to escape those ones and leave the value in double-quotes, as opposed to just using pipes.quote. The output of pipes.quote is not very pretty (single-quoted, with ' quoted as '"'"') and is not amenable to adding parameter substitutions by hand later if desired.
Comment 5 Dan Callaghan 2014-11-24 03:02:22 UTC 
http://gerrit.beaker-project.org/3507
Comment 8 Dan Callaghan 2014-12-17 08:40:21 UTC 
Beaker 19.1 is released.
Note You need to log in before you can comment on or make changes to this bug.