fix: replace shell-interpolation with system() in DNFPackageManager

Backtick calls interpolated the package name directly into a shell command string, allowing metacharacters (;, $(), backticks) to execute arbitrary commands. Using system() with separate arguments bypasses the shell entirely, so the package name is passed as a literal argv element to dnf. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2026-03-01 23:00:14 +0200
committer: Paul Buetow <paul@buetow.org> 2026-03-01 23:00:14 +0200
commit: f9dd513d8cd70654b03bcb80e9b4897c2ef6f72b (patch)
tree: dddd294154c31dc4b2b2495353f2e152c676a3ab /lib
parent: 7c439bef61b90e6744ac971a999262a0eeb76750 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/dslkeywords/package.rb b/lib/dslkeywords/package.rb
index 86903cf..d528ae8 100644
--- a/lib/dslkeywords/package.rb
+++ b/lib/dslkeywords/package.rb
@@ -6,9 +6,13 @@ require_relative 'resource'
 module RCM
   class DNFPackageManager
     def installed?(pkg) = false
-    def install(pkg) = `dnf install -y "#{pkg}"` unless installed?(pkg)
-    def update(pkg) = `dnf update -y "#{pkg}"`
-    def remove(pkg) = `dnf remove -y "#{pkg}"` if installed?(pkg)
+
+    # Use system() with separate arguments to avoid shell injection —
+    # backtick interpolation passes the command through a shell, which
+    # allows metacharacters in pkg names to execute arbitrary commands.
+    def install(pkg) = system('dnf', 'install', '-y', pkg) unless installed?(pkg)
+    def update(pkg)  = system('dnf', 'update',  '-y', pkg)
+    def remove(pkg)  = system('dnf', 'remove',  '-y', pkg) if installed?(pkg)
   end
 
   # Managing packages
author	Paul Buetow <paul@buetow.org>	2026-03-01 23:00:14 +0200
committer	Paul Buetow <paul@buetow.org>	2026-03-01 23:00:14 +0200
commit	f9dd513d8cd70654b03bcb80e9b4897c2ef6f72b (patch)
tree	dddd294154c31dc4b2b2495353f2e152c676a3ab /lib
parent	7c439bef61b90e6744ac971a999262a0eeb76750 (diff)