From f9dd513d8cd70654b03bcb80e9b4897c2ef6f72b Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sun, 1 Mar 2026 23:00:14 +0200
Subject: fix: replace shell-interpolation with system() in DNFPackageManager

Backtick calls interpolated the package name directly into a shell
command string, allowing metacharacters (;, $(), backticks) to execute
arbitrary commands. Using system() with separate arguments bypasses the
shell entirely, so the package name is passed as a literal argv element
to dnf.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 lib/dslkeywords/package.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/dslkeywords/package.rb b/lib/dslkeywords/package.rb
index 86903cf..d528ae8 100644
--- a/lib/dslkeywords/package.rb
+++ b/lib/dslkeywords/package.rb
@@ -6,9 +6,13 @@ require_relative 'resource'
 module RCM
   class DNFPackageManager
     def installed?(pkg) = false
-    def install(pkg) = `dnf install -y "#{pkg}"` unless installed?(pkg)
-    def update(pkg) = `dnf update -y "#{pkg}"`
-    def remove(pkg) = `dnf remove -y "#{pkg}"` if installed?(pkg)
+
+    # Use system() with separate arguments to avoid shell injection —
+    # backtick interpolation passes the command through a shell, which
+    # allows metacharacters in pkg names to execute arbitrary commands.
+    def install(pkg) = system('dnf', 'install', '-y', pkg) unless installed?(pkg)
+    def update(pkg)  = system('dnf', 'update',  '-y', pkg)
+    def remove(pkg)  = system('dnf', 'remove',  '-y', pkg) if installed?(pkg)
   end
 
   # Managing packages
-- 
cgit v1.2.3