Don't write payloads to disk, they may contain sensitive info.

Signed-off-by: Jamie Pate <jpate@fortinet.com>

Author: jamie-pate

assets/check

@@ -11,27 +11,25 @@ source $(dirname $0)/common.sh
 # for jq
 PATH=/usr/local/bin:$PATH
 
-payload=$TMPDIR/git-resource-request
-
-cat > $payload <&0
-
-load_pubkey $payload
-configure_https_tunnel $payload
-configure_git_ssl_verification $payload
-configure_credentials $payload
-
-uri=$(jq -r '.source.uri // ""' < $payload)
-branch=$(jq -r '.source.branch // ""' < $payload)
-paths="$(jq -r '(.source.paths // ["."])[]' < $payload)" # those "'s are important
-ignore_paths="$(jq -r '":!" + (.source.ignore_paths // [])[]' < $payload)" # these ones too
-tag_filter=$(jq -r '.source.tag_filter // ""' < $payload)
-tag_regex=$(jq -r '.source.tag_regex // ""' < $payload)
-git_config_payload=$(jq -r '.source.git_config // []' < $payload)
-ref=$(jq -r '.version.ref // ""' < $payload)
-skip_ci_disabled=$(jq -r '.source.disable_ci_skip // false' < $payload)
-filter_whitelist=$(jq -r '.source.commit_filter.include // []' < $payload)
-filter_blacklist=$(jq -r '.source.commit_filter.exclude // []' < $payload)
-version_depth=$(jq -r '.source.version_depth // 1' < $payload)
+payload="$(cat <&0)"
+
+load_pubkey "$payload"
+configure_https_tunnel "$payload"
+configure_git_ssl_verification "$payload"
+configure_credentials "$payload"
+
+uri=$(jq -r '.source.uri // ""' <<< "$payload")
+branch=$(jq -r '.source.branch // ""' <<< "$payload")
+paths="$(jq -r '(.source.paths // ["."])[]' <<< "$payload")" # those "'s are important
+ignore_paths="$(jq -r '":!" + (.source.ignore_paths // [])[]' <<< "$payload")" # these ones too
+tag_filter=$(jq -r '.source.tag_filter // ""' <<< "$payload")
+tag_regex=$(jq -r '.source.tag_regex // ""' <<< "$payload")
+git_config_payload=$(jq -r '.source.git_config // []' <<< "$payload")
+ref=$(jq -r '.version.ref // ""' <<< "$payload")
+skip_ci_disabled=$(jq -r '.source.disable_ci_skip // false' <<< "$payload")
+filter_whitelist=$(jq -r '.source.commit_filter.include // []' <<< "$payload")
+filter_blacklist=$(jq -r '.source.commit_filter.exclude // []' <<< "$payload")
+version_depth=$(jq -r '.source.version_depth // 1' <<< "$payload")
 reverse=false
 
 configure_git_global "${git_config_payload}"

assets/common.sh

@@ -3,11 +3,11 @@ export GIT_CRYPT_KEY_PATH=~/git-crypt.key
 
 load_pubkey() {
   local private_key_path=$TMPDIR/git-resource-private-key
-  local private_key_user=$(jq -r '.source.private_key_user // empty' < $1)
-  local forward_agent=$(jq -r '.source.forward_agent // false' < $1)
-  local passphrase="$(jq -r '.source.private_key_passphrase // empty' < $1)"
+  local private_key_user=$(jq -r '.source.private_key_user // empty' <<< "$1")
+  local forward_agent=$(jq -r '.source.forward_agent // false' <<< "$1")
+  local passphrase="$(jq -r '.source.private_key_passphrase // empty' <<< "$1")"
 
-  (jq -r '.source.private_key // empty' < $1) > $private_key_path
+  (jq -r '.source.private_key // empty' <<< "$1") > $private_key_path
 
   if [ -s $private_key_path ]; then
     chmod 0600 $private_key_path
@@ -36,7 +36,7 @@ EOF
 }
 
 configure_https_tunnel() {
-  tunnel=$(jq -r '.source.https_tunnel // empty' < $1)
+  tunnel=$(jq -r '.source.https_tunnel // empty' <<< "$1")
 
   if [ ! -z "$tunnel" ]; then
     host=$(echo "$tunnel" | jq -r '.proxy_host // empty')
@@ -67,7 +67,7 @@ configure_git_global() {
 }
 
 configure_git_ssl_verification() {
-  skip_ssl_verification=$(jq -r '.source.skip_ssl_verification // false' < $1)
+  skip_ssl_verification=$(jq -r '.source.skip_ssl_verification // false' <<< "$1")
   if [ "$skip_ssl_verification" = "true" ]; then
     export GIT_SSL_NO_VERIFY=true
   fi
@@ -187,23 +187,23 @@ git_metadata() {
 configure_submodule_credentials() {
   local username
   local password
-  if [[ "$(jq -r '.source.submodule_credentials // ""' < "$1")" == "" ]]; then
+  if [[ "$(jq -r '.source.submodule_credentials // ""' <<< "$1")" == "" ]]; then
     return
   fi
 
-  for k in $(jq -r '.source.submodule_credentials | keys | .[]' < "$1"); do
-    host=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].host // ""' < "$1")
-    username=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].username // ""' < "$1")
-    password=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].password // ""' < "$1")
+  for k in $(jq -r '.source.submodule_credentials | keys | .[]' <<< "$1"); do
+    host=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].host // ""' <<< "$1")
+    username=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].username // ""' <<< "$1")
+    password=$(jq -r --argjson k "$k" '.source.submodule_credentials[$k].password // ""' <<< "$1")
     if [ "$username" != "" -a "$password" != "" -a "$host" != "" ]; then
       echo "machine $host login $username password $password" >> "${HOME}/.netrc"
     fi
   done
 }
 
 configure_credentials() {
-  local username=$(jq -r '.source.username // ""' < $1)
-  local password=$(jq -r '.source.password // ""' < $1)
+  local username=$(jq -r '.source.username // ""' <<< "$1")
+  local password=$(jq -r '.source.password // ""' <<< "$1")
 
   rm -f $HOME/.netrc
   configure_submodule_credentials "$1"
@@ -216,7 +216,7 @@ configure_credentials() {
 load_git_crypt_key() {
   local git_crypt_tmp_key_path=$TMPDIR/git-resource-git-crypt-key
 
-  (jq -r '.source.git_crypt_key // empty' < $1) > $git_crypt_tmp_key_path
+  (jq -r '.source.git_crypt_key // empty' <<< "$1") > $git_crypt_tmp_key_path
 
   if [ -s $git_crypt_tmp_key_path ]; then
       cat $git_crypt_tmp_key_path | tr ' ' '\n' | base64 -d > $GIT_CRYPT_KEY_PATH

assets/in

@@ -23,41 +23,39 @@ if [ "${bin_dir#/}" == "$bin_dir" ]; then
   bin_dir="$PWD/$bin_dir"
 fi
 
-payload=$(mktemp $TMPDIR/git-resource-request.XXXXXX)
-
-cat > $payload <&0
-
-load_pubkey $payload
-load_git_crypt_key $payload
-configure_https_tunnel $payload
-configure_git_ssl_verification $payload
-configure_credentials $payload
-
-uri=$(jq -r '.source.uri // ""' < $payload)
-branch=$(jq -r '.source.branch // ""' < $payload)
-git_config_payload=$(jq -r '.source.git_config // []' < $payload)
-ref=$(jq -r '.version.ref // "HEAD"' < $payload)
-override_branch=$(jq -r '.version.branch // ""' < $payload)
-depth=$(jq -r '(.params.depth // 0)' < $payload)
-fetch=$(jq -r '(.params.fetch // [])[]' < $payload)
-submodules=$(jq -r '(.params.submodules // "all")' < $payload)
-submodule_recursive=$(jq -r '(.params.submodule_recursive // true)' < $payload)
-submodule_remote=$(jq -r '(.params.submodule_remote // false)' < $payload)
-commit_verification_key_ids=$(jq -r '(.source.commit_verification_key_ids // [])[]' < $payload)
-commit_verification_keys=$(jq -r '(.source.commit_verification_keys // [])[]' < $payload)
-tag_filter=$(jq -r '.source.tag_filter // ""' < $payload)
-tag_regex=$(jq -r '.source.tag_regex // ""' < $payload)
-fetch_tags=$(jq -r '.params.fetch_tags' < $payload)
-gpg_keyserver=$(jq -r '.source.gpg_keyserver // "hkp://ipv4.pool.sks-keyservers.net/"' < $payload)
-disable_git_lfs=$(jq -r '(.params.disable_git_lfs // false)' < $payload)
-clean_tags=$(jq -r '(.params.clean_tags // false)' < $payload)
-short_ref_format=$(jq -r '(.params.short_ref_format // "%s")' < $payload)
-timestamp_format=$(jq -r '(.params.timestamp_format // "iso8601")' < $payload)
-describe_ref_options=$(jq -r '(.params.describe_ref_options // "--always --dirty --broken")' < $payload)
+payload="$(cat <&0)"
+
+load_pubkey "$payload"
+load_git_crypt_key "$payload"
+configure_https_tunnel "$payload"
+configure_git_ssl_verification "$payload"
+configure_credentials "$payload"
+
+uri=$(jq -r '.source.uri // ""' <<< "$payload")
+branch=$(jq -r '.source.branch // ""' <<< "$payload")
+git_config_payload=$(jq -r '.source.git_config // []' <<< "$payload")
+ref=$(jq -r '.version.ref // "HEAD"' <<< "$payload")
+override_branch=$(jq -r '.version.branch // ""' <<< "$payload")
+depth=$(jq -r '(.params.depth // 0)' <<< "$payload")
+fetch=$(jq -r '(.params.fetch // [])[]' <<< "$payload")
+submodules=$(jq -r '(.params.submodules // "all")' <<< "$payload")
+submodule_recursive=$(jq -r '(.params.submodule_recursive // true)' <<< "$payload")
+submodule_remote=$(jq -r '(.params.submodule_remote // false)' <<< "$payload")
+commit_verification_key_ids=$(jq -r '(.source.commit_verification_key_ids // [])[]' <<< "$payload")
+commit_verification_keys=$(jq -r '(.source.commit_verification_keys // [])[]' <<< "$payload")
+tag_filter=$(jq -r '.source.tag_filter // ""' <<< "$payload")
+tag_regex=$(jq -r '.source.tag_regex // ""' <<< "$payload")
+fetch_tags=$(jq -r '.params.fetch_tags' <<< "$payload")
+gpg_keyserver=$(jq -r '.source.gpg_keyserver // "hkp://ipv4.pool.sks-keyservers.net/"' <<< "$payload")
+disable_git_lfs=$(jq -r '(.params.disable_git_lfs // false)' <<< "$payload")
+clean_tags=$(jq -r '(.params.clean_tags // false)' <<< "$payload")
+short_ref_format=$(jq -r '(.params.short_ref_format // "%s")' <<< "$payload")
+timestamp_format=$(jq -r '(.params.timestamp_format // "iso8601")' <<< "$payload")
+describe_ref_options=$(jq -r '(.params.describe_ref_options // "--always --dirty --broken")' <<< "$payload")
 
 # If params not defined, get it from source
 if [ -z "$fetch_tags" ] || [ "$fetch_tags" == "null" ]  ; then
-  fetch_tags=$(jq -r '.source.fetch_tags' < $payload)
+  fetch_tags=$(jq -r '.source.fetch_tags' <<< "$payload")
 fi
 
 configure_git_global "${git_config_payload}"

assets/out

@@ -18,29 +18,27 @@ fi
 # for jq
 PATH=/usr/local/bin:$PATH
 
-payload=$(mktemp $TMPDIR/git-resource-request.XXXXXX)
-
-cat > $payload <&0
-
-load_pubkey $payload
-configure_https_tunnel $payload
-configure_git_ssl_verification $payload
-configure_credentials $payload
-
-uri=$(jq -r '.source.uri // ""' < $payload)
-branch=$(jq -r '.source.branch // ""' < $payload)
-git_config_payload=$(jq -r '.source.git_config // []' < $payload)
-repository=$(jq -r '.params.repository // ""' < $payload)
-tag=$(jq -r '.params.tag // ""' < $payload)
-tag_prefix=$(jq -r '.params.tag_prefix // ""' < $payload)
-rebase=$(jq -r '.params.rebase // false' < $payload)
-merge=$(jq -r '.params.merge // false' < $payload)
-returning=$(jq -r '.params.returning // "merged"' < $payload)
-force=$(jq -r '.params.force // false' < $payload)
-only_tag=$(jq -r '.params.only_tag // false' < $payload)
-annotation_file=$(jq -r '.params.annotate // ""' < $payload)
-notes_file=$(jq -r '.params.notes // ""' < $payload)
-override_branch=$(jq -r '.params.branch // ""' < $payload)
+payload="$(cat <&0)"
+
+load_pubkey "$payload"
+configure_https_tunnel "$payload"
+configure_git_ssl_verification "$payload"
+configure_credentials "$payload"
+
+uri=$(jq -r '.source.uri // ""' <<< "$payload")
+branch=$(jq -r '.source.branch // ""' <<< "$payload")
+git_config_payload=$(jq -r '.source.git_config // []' <<< "$payload")
+repository=$(jq -r '.params.repository // ""' <<< "$payload")
+tag=$(jq -r '.params.tag // ""' <<< "$payload")
+tag_prefix=$(jq -r '.params.tag_prefix // ""' <<< "$payload")
+rebase=$(jq -r '.params.rebase // false' <<< "$payload")
+merge=$(jq -r '.params.merge // false' <<< "$payload")
+returning=$(jq -r '.params.returning // "merged"' <<< "$payload")
+force=$(jq -r '.params.force // false' <<< "$payload")
+only_tag=$(jq -r '.params.only_tag // false' <<< "$payload")
+annotation_file=$(jq -r '.params.annotate // ""' <<< "$payload")
+notes_file=$(jq -r '.params.notes // ""' <<< "$payload")
+override_branch=$(jq -r '.params.branch // ""' <<< "$payload")
 
 configure_git_global "${git_config_payload}"