From bdad92a57fef970cc5342efc802cd4835c89af54 Mon Sep 17 00:00:00 2001
From: Kenyon Ralph <quic_kralph@quicinc.com>
Date: Mon, 21 Aug 2023 17:18:37 -0700
Subject: [PATCH] module: quote filenames in command lines

---
 manifests/module.pp                 |  4 ++--
 spec/defines/selinux_module_spec.rb | 26 +++++++++++++-------------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/manifests/module.pp b/manifests/module.pp
index a4b1fbfc..78affd2f 100644
--- a/manifests/module.pp
+++ b/manifests/module.pp
@@ -136,7 +136,7 @@
       exec { "build-module-${title}":
         path    => '/bin:/usr/bin',
         cwd     => $module_dir,
-        command => "${build_command} || (rm -f ${module_file}.pp ${module_file}.loaded && exit 1)",
+        command => "${build_command} || (rm -f '${module_file}.pp' '${module_file}.loaded' && exit 1)",
         creates => "${module_file}.pp",
         notify  => Exec["install-module-${title}"],
       }
@@ -168,7 +168,7 @@
       exec { "install-module-${title}":
         path    => '/sbin:/usr/sbin:/bin:/usr/bin',
         cwd     => $module_dir,
-        command => "semodule -i ${module_file}.pp && touch ${module_file}.loaded",
+        command => "semodule -i '${module_file}.pp' && touch '${module_file}.loaded'",
         creates => "${module_file}.loaded",
         before  => Selmodule[$title],
       }
diff --git a/spec/defines/selinux_module_spec.rb b/spec/defines/selinux_module_spec.rb
index 0e4ec006..bd4596bd 100644
--- a/spec/defines/selinux_module_spec.rb
+++ b/spec/defines/selinux_module_spec.rb
@@ -46,8 +46,8 @@
           it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') }
           it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded' && exit 1)", creates: "#{module_basepath}.pp") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end
 
@@ -65,8 +65,8 @@
           it { is_expected.to contain_file("#{workdir}/mymodule.fc").that_notifies('Exec[clean-module-mymodule]') }
           it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded' && exit 1)", creates: "#{module_basepath}.pp") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end
 
@@ -85,8 +85,8 @@
           it { is_expected.to contain_file("#{workdir}/mymodule.if").that_notifies('Exec[clean-module-mymodule]') }
           it { is_expected.to contain_file("#{workdir}/mymodule.fc").that_notifies('Exec[clean-module-mymodule]') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded' && exit 1)", creates: "#{module_basepath}.pp") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end
 
@@ -105,8 +105,8 @@
           it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: 'interface(puppet_test)').that_notifies('Exec[clean-module-mymodule]') }
           it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '/bin/sh system_u:object_r:bin_t').that_notifies('Exec[clean-module-mymodule]') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded' && exit 1)", creates: "#{module_basepath}.pp") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end
 
@@ -124,8 +124,8 @@
           it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') }
           it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded' && exit 1)", creates: "#{module_basepath}.pp") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end
 
@@ -142,8 +142,8 @@
           it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') }
           it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded' && exit 1)", creates: "#{module_basepath}.pp") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end
 
@@ -170,7 +170,7 @@
           it { is_expected.to contain_file(workdir) }
           it { is_expected.to contain_file("#{workdir}/mymodule.pp").that_notifies('Exec[clean-module-mymodule]') }
           it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.loaded'", cwd: workdir) }
-          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") }
+          it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i '#{module_basepath}.pp' && touch '#{module_basepath}.loaded'", cwd: workdir, creates: "#{module_basepath}.loaded") }
           it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) }
         end