Restrict temp file to when it is used.

Signed-off-by: Pete Higgins <pete@peterhiggins.org>
author: Pete Higgins <pete@peterhiggins.org> 2020-06-02 16:02:47 -0700
committer: Pete Higgins <pete@peterhiggins.org> 2020-06-03 11:46:53 -0700
commit: f7cf0e629006cdcf37a540d9724bc8e57304d0fb (patch)
tree: e6a3826fc58a013d2b1b1a54dcc40e951f1bd09b
parent: b149c5967fdb3f084853f4cf06bff8ec607f7328 (diff)
download: chef-f7cf0e629006cdcf37a540d9724bc8e57304d0fb.tar.gz
3 files changed, 20 insertions, 21 deletions
diff --git a/lib/chef/provider/batch.rb b/lib/chef/provider/batch.rb
index 3ed55f611a..af52b0a36a 100644
--- a/lib/chef/provider/batch.rb
+++ b/lib/chef/provider/batch.rb
@@ -27,7 +27,7 @@ class Chef
       def command
         interpreter_path = Chef::Util::PathHelper.join(basepath, interpreter)
 
-        "\"#{interpreter_path}\" #{new_resource.flags} /c \"#{script_file.path}\""
+        "\"#{interpreter_path}\" #{new_resource.flags} /c \"#{script_file_path}\""
       end
 
       def script_extension
diff --git a/lib/chef/provider/powershell_script.rb b/lib/chef/provider/powershell_script.rb
index b55bed224d..2b7c384246 100644
--- a/lib/chef/provider/powershell_script.rb
+++ b/lib/chef/provider/powershell_script.rb
@@ -41,7 +41,7 @@ class Chef
         # error status of a failed Windows process that ran at the
         # end of the script, it gets changed to '1'.
         #
-        "\"#{interpreter_path}\" #{new_resource.flags} -File \"#{script_file.path}\""
+        "\"#{interpreter_path}\" #{new_resource.flags} -File \"#{script_file_path}\""
       end
 
       protected
diff --git a/lib/chef/provider/windows_script.rb b/lib/chef/provider/windows_script.rb
index 225e0c5563..0334a84150 100644
--- a/lib/chef/provider/windows_script.rb
+++ b/lib/chef/provider/windows_script.rb
@@ -25,6 +25,8 @@ class Chef
 
       protected
 
+      attr_accessor :script_file_path
+
       include Chef::Mixin::WindowsArchitectureHelper
 
       def target_architecture
@@ -62,22 +64,22 @@ class Chef
       end
 
       def command
-        "\"#{interpreter}\" #{flags} \"#{script_file.path}\""
+        "\"#{interpreter}\" #{flags} \"#{script_file_path}\""
       end
 
-      def set_owner_and_group
+      def set_owner_and_group(file_path)
         if ChefUtils.windows?
           # And on Windows also this is a no-op if there is no user specified.
-          grant_alternate_user_read_access
+          grant_alternate_user_read_access(file_path)
         else
           # FileUtils itself implements a no-op if +user+ or +group+ are nil
           # You can prove this by running FileUtils.chown(nil,nil,'/tmp/file')
           # as an unprivileged user.
-          FileUtils.chown(new_resource.user, new_resource.group, script_file.path)
+          FileUtils.chown(new_resource.user, new_resource.group, file_path)
         end
       end
 
-      def grant_alternate_user_read_access
+      def grant_alternate_user_read_access(file_path)
         # Do nothing if an alternate user isn't specified -- the file
         # will already have the correct permissions for the user as part
         # of the default ACL behavior on Windows.
@@ -85,7 +87,7 @@ class Chef
 
         # Duplicate the script file's existing DACL
         # so we can add an ACE later
-        securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(script_file.path)
+        securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(file_path)
         aces = securable_object.security_descriptor.dacl.reduce([]) { |result, current| result.push(current) }
 
         username = new_resource.user
@@ -107,19 +109,20 @@ class Chef
         (securable_object.dacl = acl)
       end
 
-      def unlink_script_file
-        script_file && script_file.close!
-      end
-
       def with_temp_script_file
-        script_file.puts(code)
-        script_file.close
+        Tempfile.open(["chef-script", script_extension]) do |script_file|
+          script_file.puts(code)
+          script_file.close
+
+          set_owner_and_group(script_file.path)
 
-        set_owner_and_group
+          # This needs to be set here so that the call to #command in Execute works.
+          self.script_file_path = script_file.path
 
-        yield
+          yield
 
-        unlink_script_file
+          self.script_file_path = nil
+        end
       end
 
       def input
@@ -136,10 +139,6 @@ class Chef
         end
       end
 
-      def script_file
-        @script_file ||= Tempfile.open(["chef-script", script_extension])
-      end
-
       def script_extension
         raise Chef::Exceptions::Override, "You must override #{__method__} in #{self}"
       end
author	Pete Higgins <pete@peterhiggins.org>	2020-06-02 16:02:47 -0700
committer	Pete Higgins <pete@peterhiggins.org>	2020-06-03 11:46:53 -0700
commit	f7cf0e629006cdcf37a540d9724bc8e57304d0fb (patch)
tree	e6a3826fc58a013d2b1b1a54dcc40e951f1bd09b
parent	b149c5967fdb3f084853f4cf06bff8ec607f7328 (diff)
download	chef-f7cf0e629006cdcf37a540d9724bc8e57304d0fb.tar.gz