escape filenames when building commands

lib/hookit/resource/directory.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class Directory < Base
@@ -31,19 +33,19 @@ def run(action)
 
       def create!
         return if ::File.exists? path
-        run_command! "mkdir #{"-p " if recursive}#{path}"
+        run_command! "mkdir #{"-p " if recursive}#{Shellwords.escape(path)}"
       end
 
       def delete!
         return if not ::File.exists? path
-        run_command! "rm -rf #{path}"
+        run_command! "rm -rf #{Shellwords.escape(path)}"
       end
 
       def chown!
         return unless owner or group
         if ::File.exists? path
-          cmd = "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{path}"
-          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{path}"
+          cmd = "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{Shellwords.escape(path)}"
+          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{Shellwords.escape(path)}"
         end
       end
 

lib/hookit/resource/file.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class File < Base
@@ -60,7 +62,7 @@ def delete!
       def chown!
         return unless owner or group
         if ::File.exists? path
-          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{path}"
+          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{Shellwords.escape(path)}"
         end
       end
 
@@ -75,7 +77,7 @@ def chmod!
       end
 
       def touch!
-        run_command! "touch -c #{path}"
+        run_command! "touch -c #{Shellwords.escape(path)}"
       end
 
       def unexpected_failure(message, reason)

lib/hookit/resource/hook_file.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class HookFile < Base
@@ -61,7 +63,7 @@ def delete!
       def chown!
         return unless owner or group
         if ::File.exists? path
-          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{path}"
+          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{Shellwords.escape(path)}"
         end
       end
 
@@ -76,7 +78,7 @@ def chmod!
       end
 
       def touch!
-        run_command! "touch -c #{path}"
+        run_command! "touch -c #{Shellwords.escape(path)}"
       end
 
       def render

lib/hookit/resource/link.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class Link < Base
@@ -32,17 +34,17 @@ def run(action)
       def create!
         args = ['f']
         args << 'sn' if link_type == :symbolic
-        run_command! "ln -#{args.join} #{to} #{target_file}"
+        run_command! "ln -#{args.join} #{Shellwords.escape(to)} #{Shellwords.escape(target_file)}"
       end
 
       def delete!
-        run_command! "rm -f #{target_file}"
+        run_command! "rm -f #{Shellwords.escape(target_file)}"
       end
 
       def chown!
         return unless owner or group
         if ::File.exists? target_file
-          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{target_file}"
+          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{Shellwords.escape(target_file)}"
         end
       end
     end

lib/hookit/resource/logrotate.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class Logrotate < Base
@@ -27,7 +29,7 @@ def run(action)
       def create!
         case platform.os
         when 'sun'
-          run_command! `logadm -c -w #{path} -s #{filesize ||= '10m'} -S #{max_size ||= '500m'} -C #{count ||= '10'} -N`
+          run_command! `logadm -c -w #{Shellwords.escape(path)} -s #{filesize ||= '10m'} -S #{max_size ||= '500m'} -C #{count ||= '10'} -N`
         end
       end
 

lib/hookit/resource/mount.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class Mount < Base
@@ -43,18 +45,18 @@ def mount!
         ::FileUtils.mkdir_p(mount_point)
         case platform.os
         when 'sun'
-          run_command! "mount -O -F #{fstype} -o retry=5,timeo=300 #{options!(as_arg=true)} #{device} #{mount_point}"
+          run_command! "mount -O -F #{fstype} -o retry=5,timeo=300 #{options!(as_arg=true)} #{device} #{Shellwords.escape(mount_point)}"
         when 'linux'
-          run_command! "mount -t #{fstype} -o retry=5,timeo=300 #{options!(as_arg=true)} #{device} #{mount_point}"
+          run_command! "mount -t #{fstype} -o retry=5,timeo=300 #{options!(as_arg=true)} #{device} #{Shellwords.escape(mount_point)}"
         end
       end
 
       def umount!
-        run_command! "umount #{mount_point}"
+        run_command! "umount #{Shellwords.escape(mount_point)}"
       end
 
       def enable!
-        entry = "#{device}\t#{device =~ /^\/dev/ ? device : "-"}\t#{mount_point}\t#{fstype}\t#{pass}\tyes\t#{options!}"
+        entry = "#{device}\t#{device =~ /^\/dev/ ? device : "-"}\t#{Shellwords.escape(mount_point)}\t#{fstype}\t#{pass}\tyes\t#{options!}"
         case platform.os
         when 'sun'
           run_command! `echo "#{entry}" >> /etc/vfstab`
@@ -66,9 +68,9 @@ def enable!
       def disable!
         case platform.os
         when 'sun'
-          run_command! `egrep -v "#{device}.*#{mount_point}" /etc/vfstab > /tmp/vfstab.tmp; mv -f /tmp/vfstab.tmp /etc/vfstab`
+          run_command! `egrep -v "#{device}.*#{Shellwords.escape(mount_point)}" /etc/vfstab > /tmp/vfstab.tmp; mv -f /tmp/vfstab.tmp /etc/vfstab`
         when 'linux'
-          run_command! `egrep -v "#{device}.*#{mount_point}" /etc/fstab > /tmp/vfstab.tmp; mv -f /tmp/vfstab.tmp /etc/vfstab`
+          run_command! `egrep -v "#{device}.*#{Shellwords.escape(mount_point)}" /etc/fstab > /tmp/vfstab.tmp; mv -f /tmp/vfstab.tmp /etc/vfstab`
         end
       end
 

lib/hookit/resource/rsync.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class Rsync < Base
@@ -26,7 +28,7 @@ def run(action)
       end
 
       def sync!
-        run_command! "rsync -q#{archive!}#{recursive!}#{checksum!}#{compress!} #{wrapper!} #{source} #{destination}"
+        run_command! "rsync -q#{archive!}#{recursive!}#{checksum!}#{compress!} #{wrapper!} #{Shellwords.escape(source)} #{Shellwords.escape(destination)}"
       end
 
       def archive!

lib/hookit/resource/scp.rb

@@ -1,3 +1,5 @@
+require 'shellwords'
+
 module Hookit
   module Resource
     class Scp < Base
@@ -31,7 +33,7 @@ def run(action)
       end
 
       def copy!
-        run_command! "scp -q#{preserve!}#{recursive!}B#{compression!} #{config!} #{port!} #{cipher!} #{identity!} #{ssh_options!} #{source} #{destination}"
+        run_command! "scp -q#{preserve!}#{recursive!}B#{compression!} #{config!} #{port!} #{cipher!} #{identity!} #{ssh_options!} #{Shellwords.escape(source)} #{Shellwords.escape(destination)}"
       end
 
       def cipher!

lib/hookit/resource/template.rb

@@ -3,6 +3,7 @@
 require 'erb'
 require 'oj'
 require 'multi_json'
+require 'shellwords'
 
 module Hookit
   module Resource
@@ -68,7 +69,7 @@ def delete!
       def chown!
         return unless owner or group
         if ::File.exists? path
-          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{path}"
+          run_command! "chown #{(group.nil?) ? owner : "#{owner}:#{group}"} #{Shellwords.escape(path)}"
         end
       end
 
@@ -83,7 +84,7 @@ def chmod!
       end
 
       def touch!
-        run_command! "touch -c #{path}"
+        run_command! "touch -c #{Shellwords.escape(path)}"
       end
 
       def render

lib/hookit/version.rb

@@ -1,3 +1,3 @@
 module Hookit
-  VERSION = "0.12.8"
+  VERSION = "0.12.9"
 end