2 files changed, 15 insertions, 4 deletions

diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
index 5b652228a6..ff1908c1bb 100644
--- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
+++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+
 set -e
 
 # first arg is `-f` or `--some-option`
@@ -71,7 +72,8 @@ if [ "$1" = 'cassandra' ]; then
                 authenticator \
         ; do
                 var="CASSANDRA_${yaml^^}"
-                val="${!var}"
+                # eval presents no security issue here because of limited possible values of var
+                eval val=\$$var
                 if [ "$val" ]; then
                         _sed-in-place "$CASSANDRA_CONFIG/cassandra.yaml" \
                                 -r 's/^(# )?('"$yaml"':).*/\2 '"$val"'/'
@@ -80,7 +82,8 @@ if [ "$1" = 'cassandra' ]; then
 
         for rackdc in dc rack; do
                 var="CASSANDRA_${rackdc^^}"
-                val="${!var}"
+                # eval presents no security issue here because of limited possible values of var
+                eval val=\$$var
                 if [ "$val" ]; then
                         _sed-in-place "$CASSANDRA_CONFIG/cassandra-rackdc.properties" \
                                 -r 's/^('"$rackdc"'=).*/\1 '"$val"'/'
diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh
index fa4b007a5a..f130bb5118 100755
--- a/kubernetes/common/mariadb-init/resources/config/db_init.sh
+++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+
 {{/*
 # Copyright © 2019 Orange
 # Copyright © 2020 Samsung Electronics
@@ -22,8 +23,15 @@ set -e
 while read DB ; do
     USER_VAR="MYSQL_USER_${DB^^}"
     PASS_VAR="MYSQL_PASSWORD_${DB^^}"
-    USER=${!USER_VAR}
-    PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+{{/*
+    # USER=${!USER_VAR}
+    # PASS=`echo -n ${!PASS_VAR} | sed -e "s/'/''/g"`
+    # eval replacement of the bashism equivalents above might present a security issue here
+    # since it reads content from DB values filled by helm at the end of the script.
+    # These possible values has to be constrainted and/or limited by helm for a safe use of eval.
+*/}}
+    eval USER=\$$USER_VAR
+    PASS=$(eval echo -n \$$PASS_VAR | sed -e "s/'/''/g")
     MYSQL_OPTS=( -h ${DB_HOST} -P ${DB_PORT} -uroot -p${MYSQL_ROOT_PASSWORD} )
 
     echo "Creating database ${DB} and user ${USER}..."