Skip to content

Escape shell flag values

Dustin Collins requested to merge 7198-escape-redis-password-arg into master 
Use shellwords to escape special characters

For fields that are to be passed via the shell, use the ruby core
library functionality in shellwords to escape the string to prevent
errors and promote safe handling.

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/7198

Changelog: changed

What does this MR do?

This MR makes use of the shellwords gem's shellescape function to properly escape flag arguments with special characters.

Related issues

Closes #7198 (closed)

Testing

The following docker-compose file can be used to test this change.

The GitLab image used in this file was created by this MR's triggered pipeline.

Notice that the redis password is set to "redis)", which fails to converge before this MR since it contains a ")" character.

Running docker compose up --pull always --force-recreate should result in a working GitLab instance. To see the broken state before this MR, uncomment the second image in the below file.

version: '3.6'
services:
  gitlab:
    container_name: 'gitlab'
    image: 'registry.gitlab.com/gitlab-org/omnibus-gitlab/gitlab-ee:15.8.0-rfbranch.755428643.fb022d92-0'
    # image: 'gitlab/gitlab-ee:nightly'
    hostname: 'gitlab.dev'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://gitlab.dev'
        letsencrypt['enable'] = false
        gitlab_rails['initial_root_password'] = 'rtrtrtrt'

        redis['enable'] = false
        gitlab_rails['redis_host'] = 'redis'
        gitlab_rails['redis_port'] = 6379
        gitlab_rails['redis_password'] = 'redis)'

        redis_exporter['enable'] = true
        redis_exporter['flags'] = {
          'redis.addr' => 'redis://redis:6379',
          'redis.password' => 'redis)'
        }
    ports:
      - '8080:80'
      - '8443:443'
    shm_size: '256m'
  redis:
    image: 'redis:7'
    command: ['redis-server', '--requirepass', 'redis)']

Inside the GitLab container you can see there are no errors in the redis-exporter log with:

cat /var/log/gitlab/redis-exporter/current

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened

Closes #7198 (closed)

Edited by Robert Marshall

Merge request reports