aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common/mariadb-init/resources/config/db_init.sh
diff options
context:
space:
mode:
authorGuillaume Lambert <guillaume.lambert@orange.com>2021-03-10 16:09:31 +0100
committerKrzysztof Opasiak <k.opasiak@samsung.com>2021-05-26 06:55:45 +0000
commitf3454863133c2979f5091e6881cde3a496b2e12d (patch)
tree65b5d180b3947f9e9b2d0dbae3e683f16939c790 /kubernetes/common/mariadb-init/resources/config/db_init.sh
parent9970854c6fec9e99bf8c5fd88d2183041a8c9fb7 (diff)
[COMMON] Fix ${!name} bashisms
pointed out by checkbashisms. Note this kind of indirections can only be replaced directly in POSIX by commands using eval. Security risks must be evaluated for each context where eval is called. For a safe use, the context must ensure that only a limited number of possible constrainted values are passed to eval. https://mywiki.wooledge.org/Bashism#Parameter_Expansions https://mywiki.wooledge.org/BashFAQ/006#Indirection Issue-ID: OOM-264 Signed-off-by: Guillaume Lambert <guillaume.lambert@orange.com> Change-Id: Id27f3ffd1ddb092a9c038d3a45d9e3278720eb62
Diffstat (limited to 'kubernetes/common/mariadb-init/resources/config/db_init.sh')
-rwxr-xr-xkubernetes/common/mariadb-init/resources/config/db_init.sh12
1 files changed, 10 insertions, 2 deletions
diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh
index fa4b007a5a..f130bb5118 100755
--- a/kubernetes/common/mariadb-init/resources/config/db_init.sh
+++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+
{{/*
# Copyright © 2019 Orange
# Copyright © 2020 Samsung Electronics
@@ -22,8 +23,15 @@ set -e
while read DB ; do
USER_VAR="MYSQL_USER_${DB^^}"
PASS_VAR="MYSQL_PASSWORD_${DB^^}"
- USER=${!USER_VAR}
- PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+{{/*
+ # USER=${!USER_VAR}
+ # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+ # eval replacement of the bashism equivalents above might present a security issue here
+ # since it reads content from DB values filled by helm at the end of the script.
+ # These possible values has to be constrainted and/or limited by helm for a safe use of eval.
+*/}}
+ eval USER=\$$USER_VAR
+ PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g")
MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} )
echo "Creating database ${DB} and user ${USER}..."