run role: improve script quoting

Ensure safer handling of input by adding ansible.builtin.quote where
appropriate. Even if inputs are user-controlled or derived from internal
variables, it's better to be safe and prevent potential issues with
shell parsing.

Author: andreashaerter

roles/run/handlers/main.yml

@@ -29,55 +29,46 @@
 
       # Set ownership of files and directories: service user and group
       find \
-        '{{ run_acmesh_cfg_home }}' \
-        '{{ run_acmesh_cfg_config_home }}' \
-        '{{ run_acmesh_cfg_cert_home }}' \
-        -exec chown -c "{{ run_acmesh_user }}:{{ run_acmesh_group }}" {} \;
-      chown -c "{{ run_acmesh_user }}:{{ run_acmesh_group }}" '{{ run_acmesh_cfg_config_home }}/account.conf'
-      chown -c "{{ run_acmesh_user }}:{{ run_acmesh_group }}" '{{ run_acmesh_cfg_logfile }}'
+        {{ run_acmesh_cfg_home | ansible.builtin.quote }} \
+        {{ run_acmesh_cfg_config_home | ansible.builtin.quote }} \
+        {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }} \
+        -exec chown -c {{ (run_acmesh_user ~ ':' ~ run_acmesh_group) | ansible.builtin.quote }} {} \;
+      chown -c {{ (run_acmesh_user ~ ':' ~ run_acmesh_group) | ansible.builtin.quote }} {{ (run_acmesh_cfg_config_home ~ '/account.conf') |
+                                                                                           ansible.builtin.quote }}
+      chown -c {{ (run_acmesh_user ~ ':' ~ run_acmesh_group) | ansible.builtin.quote }} {{ run_acmesh_cfg_logfile | ansible.builtin.quote }}
 
       # Set permissions of directories: 0750 / u=rwx,g=rx,o=
       find \
-        '{{ run_acmesh_cfg_home }}' \
-        '{{ run_acmesh_cfg_config_home }}' \
-        '{{ run_acmesh_cfg_cert_home }}' \
+        {{ run_acmesh_cfg_home | ansible.builtin.quote }} \
+        {{ run_acmesh_cfg_config_home | ansible.builtin.quote }} \
+        {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }} \
         -type d \
         -exec chmod -c 0750 {} \;
 
       # Set permissions of non-executables: 0640 / u=rw,g=r,o=
       # The account.conf will be handled later
       find \
-        '{{ run_acmesh_cfg_home }}' \
-        '{{ run_acmesh_cfg_config_home }}' \
-        '{{ run_acmesh_cfg_cert_home }}' \
+        {{ run_acmesh_cfg_home | ansible.builtin.quote }} \
+        {{ run_acmesh_cfg_config_home | ansible.builtin.quote }} \
+        {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }} \
         -type f \
         -not -name '*\.sh' \
-        -not -wholename '{{ run_acmesh_cfg_config_home }}/account.conf' \
+        -not -wholename {{ (run_acmesh_cfg_config_home ~ '/account.conf') | ansible.builtin.quote }} \
         -exec chmod -c 0640 {} \;
 
       # Set permissions of executables: 0750 / u=rwx,g=rx,o=
-      chmod -c 0750 '{{ run_acmesh_cfg_home }}/acme.sh'
+      chmod -c 0750 {{ (run_acmesh_cfg_home ~ '/acme.sh') | ansible.builtin.quote }}
       find \
-        '{{ run_acmesh_cfg_home }}/deploy' \
-        '{{ run_acmesh_cfg_home }}/dnsapi' \
-        '{{ run_acmesh_cfg_home }}/notify' \
-        -type f \
-        -name '*\.sh' \
-        -exec chmod -c 0750 {} \;
-
-      # Set permissions of executables: 0750 / u=rwx,g=rx,o=
-      chmod -c 0750 '{{ run_acmesh_cfg_home }}/acme.sh'
-      find \
-        '{{ run_acmesh_cfg_home }}/deploy' \
-        '{{ run_acmesh_cfg_home }}/dnsapi' \
-        '{{ run_acmesh_cfg_home }}/notify' \
+        {{ (run_acmesh_cfg_home ~ '/deploy') | ansible.builtin.quote }} \
+        {{ (run_acmesh_cfg_home ~ '/dnsapi') | ansible.builtin.quote }} \
+        {{ (run_acmesh_cfg_home ~ '/notify') | ansible.builtin.quote }} \
         -type f \
         -name '*\.sh' \
         -exec chmod -c 0750 {} \;
 
       # Set permissions of sensitive files directories: 0600 / u=rw,g=,o=
-      chmod -c 0600 '{{ run_acmesh_cfg_config_home }}/account.conf' # may contain credentials (e.g. DNS API or notify credentials)
-      chmod -c 0600 '{{ run_acmesh_cfg_logfile }}'
+      chmod -c 0600 {{ (run_acmesh_cfg_config_home ~ '/account.conf') | ansible.builtin.quote }} # may contain credentials (e.g. DNS API or notify credentials)
+      chmod -c 0600 {{ run_acmesh_cfg_logfile | ansible.builtin.quote }}
 
       exit 0
     executable: "/bin/bash" # this inline script was only tested with Bash yet, so hardcode the shell

roles/run/tasks/cert/default.yml

@@ -105,29 +105,29 @@
     cmd: >
       ./acme.sh
         --issue
-        --config-home "{{ run_acmesh_cfg_config_home }}"
-        --certhome "{{ run_acmesh_cfg_cert_home }}"
+        --config-home {{ run_acmesh_cfg_config_home | ansible.builtin.quote }}
+        --certhome {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }}
         {% for item_domain in item['domains'] %}
-          --domain "{{ item_domain['name'] }}"
-          {{ '--dns "' ~ item_domain['challenge']['dns_provider'] ~ '"'
+          --domain {{ item_domain['name'] | ansible.builtin.quote }}
+          {{ '--dns ' ~ (item_domain['challenge']['dns_provider'] | ansible.builtin.quote)
               if ((item_domain['challenge'] is defined) and
                   (item_domain['challenge']['type'] is defined) and
                   (item_domain['challenge']['type'] == 'dns') and
                   (item_domain['challenge']['dns_provider'] is defined) and
                   (item_domain['challenge']['dns_provider']))
               else
               '' }}
-          {{ '--domain-alias "' ~ item_domain['challenge']['domain_alias'] ~ '"'
+          {{ '--domain-alias ' ~ (item_domain['challenge']['domain_alias'] | ansible.builtin.quote)
               if ((item_domain['challenge']['domain_alias'] is defined) and
                   (item_domain['challenge']['domain_alias']))
               else
               '' }}
-          {{ '--challenge-alias "' ~ item_domain['challenge']['challenge_alias'] ~ '"'
+          {{ '--challenge-alias ' ~ (item_domain['challenge']['challenge_alias'] | ansible.builtin.quote)
               if ((item_domain['challenge']['challenge_alias'] is defined) and
                   (item_domain['challenge']['challenge_alias']))
               else
               '' }}
-          {{ '--webroot "' ~ item_domain['challenge']['webroot'] ~ '"'
+          {{ '--webroot ' ~ (item_domain['challenge']['webroot'] | ansible.builtin.quote)
               if ((item_domain['challenge'] is defined) and
                   (item_domain['challenge']['type'] is defined) and
                   (item_domain['challenge']['type'] == 'webroot') and
@@ -141,7 +141,7 @@
                   (item_domain['challenge']['type'] == 'standalone'))
               else
               '' }}
-          {{ '--httpport ' ~ item_domain['challenge']['httpport']
+          {{ '--httpport ' ~ (item_domain['challenge']['httpport'] | ansible.builtin.quote)
               if ((item_domain['challenge']['httpport'] is defined) and
                   (item_domain['challenge']['httpport']))
               else
@@ -152,7 +152,7 @@
                   (item_domain['challenge']['type'] == 'alpn'))
               else
               '' }}
-          {{ '--tlsport ' ~ item_domain['challenge']['tlsport']
+          {{ '--tlsport ' ~ (item_domain['challenge']['tlsport'] | ansible.builtin.quote)
               if ((item_domain['challenge']['tlsport'] is defined) and
                   (item_domain['challenge']['tlsport']))
               else
@@ -168,26 +168,26 @@
                 (item['debug']))
             else
             '' }}
-        {{ '--dnssleep ' ~ (item['dnssleep'] | int)
+        {{ '--dnssleep ' ~ (item['dnssleep'] | ansible.builtin.quote)
             if (item['dnssleep'] is defined)
             else
             '' }}
-        {{ '--pre-hook "' ~ item['pre_hook'] ~ '"'
+        {{ '--pre-hook ' ~ (item['pre_hook'] | ansible.builtin.quote)
             if ((item['pre_hook'] is defined) and
                 (item['pre_hook']))
             else
             '' }}
-        {{ '--post-hook "' ~ item['post_hook'] ~ '"'
+        {{ '--post-hook ' ~ (item['post_hook'] | ansible.builtin.quote)
             if ((item['post_hook'] is defined) and
                 (item['post_hook']))
             else
             '' }}
-        {{ '--renew-hook "' ~ item['renew_hook'] ~ '"'
+        {{ '--renew-hook ' ~ (item['renew_hook'] | ansible.builtin.quote)
             if ((item['renew_hook'] is defined) and
                 (item['renew_hook']))
             else
             '' }}
-        {{ '--server "' ~ item['server'] ~ '"'
+        {{ '--server ' ~ (item['server'] | ansible.builtin.quote)
             if ((item['server'] is defined) and
                 (item['server']))
             else
@@ -275,30 +275,30 @@
     cmd: >
       ./acme.sh
         --install-cert
-        --config-home "{{ run_acmesh_cfg_config_home }}"
-        --certhome "{{ run_acmesh_cfg_cert_home }}"
-        --domain "{{ item['domains'][0]['name'] }}"
-        {{ '--ca-file "' ~ item['install']['ca_file'] ~ '"'
+        --config-home {{ run_acmesh_cfg_config_home | ansible.builtin.quote }}
+        --certhome {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }}
+        --domain {{ item['domains'][0]['name'] | ansible.builtin.quote }}
+        {{ '--ca-file ' ~ (item['install']['ca_file'] | ansible.builtin.quote)
             if ((item['install']['ca_file'] is defined) and
                 (item['install']['ca_file']))
             else
             '' }}
-        {{ '--cert-file "' ~ item['install']['cert_file'] ~ '"'
+        {{ '--cert-file ' ~ (item['install']['cert_file'] | ansible.builtin.quote)
             if ((item['install']['cert_file'] is defined) and
                 (item['install']['cert_file']))
             else
             '' }}
-        {{ '--fullchain-file "' ~ item['install']['fullcain_file'] ~ '"'
+        {{ '--fullchain-file ' ~ (item['install']['fullcain_file'] | ansible.builtin.quote)
             if ((item['install']['fullcain_file'] is defined) and
                 (item['install']['fullcain_file']))
             else
             '' }}
-        {{ '--key-file "' ~ item['install']['key_file'] ~ '"'
+        {{ '--key-file ' ~ (item['install']['key_file'] | ansible.builtin.quote)
             if ((item['install']['key_file'] is defined) and
                 (item['install']['key_file']))
             else
             '' }}
-        {{ '--reloadcmd "' ~ item['install']['reloadcmd'] ~ '"'
+        {{ '--reloadcmd ' ~ (item['install']['reloadcmd'] | ansible.builtin.quote)
             if ((item['install']['reloadcmd'] is defined) and
                 (item['install']['reloadcmd']))
             else
@@ -333,7 +333,7 @@
 - name: "Cert | Default | Gather certificate information"
   ansible.builtin.command:
     cmd: >
-      ./acme.sh --list --certhome "{{ run_acmesh_cfg_cert_home }}"
+      ./acme.sh --list --certhome {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }}
   args:
     chdir: "{{ run_acmesh_cfg_home }}"
   when:

roles/run/tasks/config/default.yml

@@ -22,22 +22,22 @@
       set -u # fail on unset vars
       set -o pipefail # fail if any pipe cmd fails
 
-      __run_acmesh_checksum_before="$({{ __run_acmesh_sha1sum_executable }} '{{ run_acmesh_cfg_config_home }}/account.conf')"
+      __run_acmesh_checksum_before=$({{ __run_acmesh_sha1sum_executable }} {{ (run_acmesh_cfg_config_home ~ '/account.conf') | ansible.builtin.quote }})
 
       if ! ./acme.sh \
             --info \
-            --home "{{ run_acmesh_cfg_home }}" \
-            --config-home "{{ run_acmesh_cfg_config_home }}" \
-            --certhome "{{ run_acmesh_cfg_cert_home }}" \
-            --log "{{ run_acmesh_cfg_logfile }}" \
-            --log-level {{ run_acmesh_cfg_log_level }} \
-            --syslog {{ run_acmesh_cfg_syslog }} \
+            --home {{ run_acmesh_cfg_home | ansible.builtin.quote }} \
+            --config-home {{ run_acmesh_cfg_config_home | ansible.builtin.quote }} \
+            --certhome {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }} \
+            --log {{ run_acmesh_cfg_logfile | ansible.builtin.quote }} \
+            --log-level {{ run_acmesh_cfg_log_level | ansible.builtin.quote }} \
+            --syslog {{ run_acmesh_cfg_syslog | ansible.builtin.quote }} \
             {{ '--auto-upgrade 1'
               if ((run_acmesh_autoupgrade is defined) and
                   (run_acmesh_autoupgrade))
               else
               '--auto-upgrade 0' }} \
-            {{ '--accountemail "' ~ run_acmesh_cfg_accountemail ~ '"'
+            {{ '--accountemail ' ~ (run_acmesh_cfg_accountemail | ansible.builtin.quote)
               if ((run_acmesh_cfg_accountemail is defined) and
                   (run_acmesh_cfg_accountemail))
               else
@@ -46,9 +46,10 @@
         exit 1
       fi
 
-      if [ "${__run_acmesh_checksum_before}" != "$({{ __run_acmesh_sha1sum_executable }} '{{ run_acmesh_cfg_config_home }}/account.conf')" ]
+      __run_acmesh_checksum_after=$({{ __run_acmesh_sha1sum_executable }} {{ (run_acmesh_cfg_config_home ~ '/account.conf') | ansible.builtin.quote }})
+      if [ "${__run_acmesh_checksum_before}" != "${__run_acmesh_checksum_after}" ]
       then
-        printf 'Changed config file: {{ run_acmesh_cfg_config_home }}/account.conf'
+        printf 'Changed config file: %s' {{ (run_acmesh_cfg_config_home ~ '/account.conf') | ansible.builtin.quote }}
       fi
 
       exit 0

roles/run/tasks/init.yml

@@ -109,16 +109,19 @@
     cmd: |
       set -u # fail on unset vars
       set -o pipefail # fail if any pipe cmd fails
+
       __run_acmesh_version_installed=""
-      if command -v '{{ run_acmesh_cfg_home }}/acme.sh' > /dev/null 2>&1
+      if command -v {{ (run_acmesh_cfg_home ~ '/acme.sh') | ansible.builtin.quote }} > /dev/null 2>&1
       then
-        __run_acmesh_version_installed="$({{ run_acmesh_cfg_home }}/acme.sh --version | tail -1 | sed -e 's/^v//g')"
+        __run_acmesh_version_installed=$({{ (run_acmesh_cfg_home ~ '/acme.sh' ) | ansible.builtin.quote }} --version | tail -1 | sed -e 's/^v//g')
         if ! printf '%s' "${__run_acmesh_version_installed}" | grep -E -q -e '^[[:digit:]\.]*$'
         then
           __run_acmesh_version_installed=''
         fi
       fi
+
       printf '%s' "${__run_acmesh_version_installed}"
+      exit 0
     executable: "/bin/bash" # this inline script was only tested with Bash yet, so hardcode the shell
   register: __run_acmesh_version_installed_result
   ignore_errors: true

roles/run/tasks/setup/install/default.yml

@@ -171,19 +171,19 @@
     cmd: >
       ./acme.sh
         --install
-        --home "{{ run_acmesh_cfg_home }}"
-        --config-home "{{ run_acmesh_cfg_config_home }}"
-        --certhome "{{ run_acmesh_cfg_cert_home }}"
-        --log "{{ run_acmesh_cfg_logfile }}"
-        --log-level {{ run_acmesh_cfg_log_level }}
-        --syslog {{ run_acmesh_cfg_syslog }}
+        --home {{ run_acmesh_cfg_home | ansible.builtin.quote }}
+        --config-home {{ run_acmesh_cfg_config_home | ansible.builtin.quote }}
+        --certhome {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }}
+        --log {{ run_acmesh_cfg_logfile | ansible.builtin.quote }}
+        --log-level {{ run_acmesh_cfg_log_level | ansible.builtin.quote }}
+        --syslog {{ run_acmesh_cfg_syslog | ansible.builtin.quote }}
         --nocron
         {{ '--auto-upgrade 1'
           if ((run_acmesh_autoupgrade is defined) and
               (run_acmesh_autoupgrade))
           else
           '--auto-upgrade 0' }}
-        {{ '--accountemail "' ~ run_acmesh_cfg_accountemail ~ '"'
+        {{ '--accountemail ' ~ (run_acmesh_cfg_accountemail | ansible.builtin.quote)
           if ((run_acmesh_cfg_accountemail is defined) and
               (run_acmesh_cfg_accountemail))
           else
@@ -214,18 +214,18 @@
     cmd: >
       ./acme.sh
         --upgrade
-        --home "{{ run_acmesh_cfg_home }}"
-        --config-home "{{ run_acmesh_cfg_config_home }}"
-        --certhome "{{ run_acmesh_cfg_cert_home }}"
-        --log "{{ run_acmesh_cfg_logfile }}"
-        --log-level {{ run_acmesh_cfg_log_level }}
-        --syslog {{ run_acmesh_cfg_syslog }}
+        --home {{ run_acmesh_cfg_home | ansible.builtin.quote }}
+        --config-home {{ run_acmesh_cfg_config_home | ansible.builtin.quote }}
+        --certhome {{ run_acmesh_cfg_cert_home | ansible.builtin.quote }}
+        --log {{ run_acmesh_cfg_logfile | ansible.builtin.quote }}
+        --log-level {{ run_acmesh_cfg_log_level | ansible.builtin.quote }}
+        --syslog {{ run_acmesh_cfg_syslog | ansible.builtin.quote }}
         {{ '--auto-upgrade 1'
           if ((run_acmesh_autoupgrade is defined) and
               (run_acmesh_autoupgrade))
           else
           '--auto-upgrade 0' }}
-        {{ '--accountemail "' ~ run_acmesh_cfg_accountemail ~ '"'
+        {{ '--accountemail ' ~ (run_acmesh_cfg_accountemail | ansible.builtin.quote)
           if ((run_acmesh_cfg_accountemail is defined) and
               (run_acmesh_cfg_accountemail))
           else
@@ -260,15 +260,17 @@
     cmd: |
       set -u # fail on unset vars
       set -o pipefail # fail if any pipe cmd fails
-      __run_acmesh_version_installed=''
-      if command -v '{{ run_acmesh_cfg_home }}/acme.sh' > /dev/null 2>&1
+
+      __run_acmesh_version_installed=""
+      if command -v {{ (run_acmesh_cfg_home ~ '/acme.sh') | ansible.builtin.quote }} > /dev/null 2>&1
       then
-        __run_acmesh_version_installed="$({{ run_acmesh_cfg_home }}/acme.sh --version | tail -1 | sed -e 's/^v//g')"
+        __run_acmesh_version_installed=$({{ (run_acmesh_cfg_home ~ '/acme.sh' ) | ansible.builtin.quote }} --version | tail -1 | sed -e 's/^v//g')
         if ! printf '%s' "${__run_acmesh_version_installed}" | grep -E -q -e '^[[:digit:]\.]*$'
         then
           __run_acmesh_version_installed=''
         fi
       fi
+
       printf '%s' "${__run_acmesh_version_installed}"
       exit 0
     executable: "/bin/bash" # this inline script was only tested with Bash yet, so hardcode the shell

roles/run/tasks/setup/uninstall/default.yml

@@ -15,9 +15,9 @@
   # https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params
   ansible.builtin.command:
     cmd: >
-      {{ run_acmesh_cfg_home }}/acme.sh
+      {{ (run_acmesh_cfg_home ~ '/acme.sh') | ansible.builtin.quote }}
         --uninstall
-        --config-home "{{ run_acmesh_cfg_config_home }}"
+        --config-home {{ run_acmesh_cfg_config_home | ansible.builtin.quote }}
   args:
     removes: "{{ run_acmesh_cfg_home }}/acme.sh"
   when:

roles/run/vars/main.yml

@@ -136,7 +136,7 @@ __run_acmesh_systemd_renewal_servicefile: "/etc/systemd/system/acmesh-renewal.se
 __run_acmesh_systemd_renewal_timerfile: "/etc/systemd/system/acmesh-renewal.timer"
 
 
-# String. Path to the sha1sum executable
+# String. Path to the sha1sum executable.
 __run_acmesh_sha1sum_executable: "/usr/bin/sha1sum"