Covscan spotted the following : ``` Error: SHELLCHECK_WARNING (CWE-569): [#def1] /usr/lib/dracut/modules.d/50rdcore/coreos-installer-generator:23:11: warning[SC2207]: Prefer mapfile or read -a to split command output (or quote to avoid splitting). # 21| } # 22| # 23|-> cmdline=( $(</proc/cmdline) ) # 24| karg() { # 25| local name="$1" value="$2" ``` => This looks like very minor, but valid problem. Linux boot parameters support spaces, which are protected by using quotes in the output. In theory, if an attacker can inject specially crafted value within a another parameter printed before the key being searched, they could control parameters such as `coreos.inst.ignition_url`, or `firstboot_args`, and thus control the installation In practice, I am not sure it is worth really considering this as a security vulnerability because of the unlikelyhood of the vector (inject specially crafted values in a boot parameter does not feel like something easy) Regardless : it might be worth improving this, as it may also lead to bugs if any of coreos-installer boot param contains a space. ShellCheck's tip : https://github.com/koalaman/shellcheck/wiki/SC2207
Similar issue may happen when building environment variables from outputs of udevadm & lsblk : Error: SHELLCHECK_WARNING (CWE-88): [#def11] /usr/lib/dracut/modules.d/50rdcore/growfs:51:18: warning[SC2046]: Quote this to prevent word splitting. # 49| case "${TYPE}" in # 50| part) # 51|-> eval $(udevadm info --query property --export "${current_blkdev}" | grep ^DM_ || :) # 52| if [ -n "${DM_MPATH:-}" ]; then # 53| # Since growpart does not understand device mapper, we have to use sfdisk. Error: SHELLCHECK_WARNING (CWE-88): [#def12] /usr/lib/dracut/modules.d/50rdcore/growfs:65:19: warning[SC2046]: Quote this to prevent word splitting. # 63| # XXX: yuck... we need to expose this sanely in clevis # 64| (. /usr/bin/clevis-luks-common-functions # 65|-> eval $(udevadm info --query=property --export "${NAME}") # 66| # lsblk doesn't print PKNAME of crypt devices with --nodeps # 67| PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves") For example, it is to be noted that udevadm's output is protected by quotes, so it really may contain spaces. ShellCheck's tip : https://github.com/koalaman/shellcheck/wiki/SC2046
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Moving to RHEL 9 as we'll likely fix it there via: https://github.com/coreos/coreos-installer/pull/999
There are two copies of coreos-installer-generator. It's not clear which one this bug originally referred to, but both should be fixed. The one in coreos-installer-dracut has now been fixed, but the one in coreos-installer was not actually fixed by https://github.com/coreos/coreos-installer/pull/999.