summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--kubernetes/common/cassandra/resources/config/docker-entrypoint.sh7
-rwxr-xr-xkubernetes/common/mariadb-init/resources/config/db_init.sh12
-rw-r--r--kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh10
3 files changed, 23 insertions, 6 deletions
diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
index 64c7daacbf..5f23a89867 100644
--- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
+++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+
set -e
# first arg is `-f` or `--some-option`
@@ -71,7 +72,8 @@ if [ "$1" = 'cassandra' ]; then
authenticator \
; do
var="CASSANDRA_${yaml^^}"
- val="${!var}"
+ # eval presents no security issue here because of limited possible values of var
+ eval val=\$$var
if [ "$val" ]; then
_sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \
-r 's/^(# )?('"$yaml"':).*/\2 '"$val"'/'
@@ -80,7 +82,8 @@ if [ "$1" = 'cassandra' ]; then
for rackdc in dc rack; do
var="CASSANDRA_${rackdc^^}"
- val="${!var}"
+ # eval presents no security issue here because of limited possible values of var
+ eval val=\$$var
if [ "$val" ]; then
_sed-in-place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \
-r 's/^('"$rackdc"'=).*/\1 '"$val"'/'
diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh
index fa4b007a5a..f130bb5118 100755
--- a/kubernetes/common/mariadb-init/resources/config/db_init.sh
+++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+
{{/*
# Copyright © 2019 Orange
# Copyright © 2020 Samsung Electronics
@@ -22,8 +23,15 @@ set -e
while read DB ; do
USER_VAR="MYSQL_USER_${DB^^}"
PASS_VAR="MYSQL_PASSWORD_${DB^^}"
- USER=${!USER_VAR}
- PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+{{/*
+ # USER=${!USER_VAR}
+ # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+ # eval replacement of the bashism equivalents above might present a security issue here
+ # since it reads content from DB values filled by helm at the end of the script.
+ # These possible values has to be constrainted and/or limited by helm for a safe use of eval.
+*/}}
+ eval USER=\$$USER_VAR
+ PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g")
MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} )
echo "Creating database ${DB} and user ${USER}..."
diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
index ebc8ca0f40..411ed8e667 100644
--- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
+++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+
set -eo pipefail
shopt -s nullglob
@@ -30,10 +31,15 @@ file_env() {
mysql_error "Both $var and $fileVar are set (but are exclusive)"
fi
local val="$def"
+ # val="${!var}"
+ # val="$(< "${!fileVar}")"
+ # eval replacement of the bashism equivalents above presents no security issue here
+ # since var and fileVar variables contents are derived from the file_env() function arguments.
+ # This method is only called inside this script with a limited number of possible values.
if [ "${!var:-}" ]; then
- val="${!var}"
+ eval val=\$$var
elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
+ val="$(< "$(eval echo "\$$fileVar")")"
fi
export "$var"="$val"
unset "$fileVar"