epm repack: fix CVE: validate YAML output before eval and do safe parsing

pack.d/common.sh

@@ -6,7 +6,20 @@ fatal()
     exit 1
 }
 
-
+# Load YAML fields into shell variables safely (prevents command injection)
+# Usage: yaml_load_vars file.yaml field1 field2 field3 ...
+yaml_load_vars()
+{
+    local file="$1"
+    shift
+    local data field value
+    data="$(epm tool yaml "$file" 2>/dev/null)"
+    for field in "$@" ; do
+        value="$(printf '%s\n' "$data" | grep "^${field}=" | head -n1 | sed "s/^[^=]*=\"\(.*\)\"$/\1/")"
+        # Use single quotes to prevent command execution in values
+        eval "$field='$(printf '%s' "$value" | sed "s/'/'\\\\''/g")'"
+    done
+}
 
 # compatibility layer
 

pack.d/generic-snap.sh

@@ -21,7 +21,7 @@ a= unsquashfs $TAR || fatal
 # version: 1.69.1
 # summary: Plex for Linux
 # description:
-eval $(epm tool yaml squashfs-root/meta/snap.yaml | grep -E "^(name|version|summary|description)=") #"
+yaml_load_vars squashfs-root/meta/snap.yaml name version summary description
 
 [ -n "$name" ] || fatal "Can't get name from snap.yaml"
 [ -n "$version" ] || fatal "Can't get version from snap.yaml"

repack.d/common.sh

@@ -20,6 +20,21 @@ warning()
     echo "WARNING: $*" >&2
 }
 
+# Load YAML fields into shell variables safely (prevents command injection)
+# Usage: yaml_load_vars file.yaml field1 field2 field3 ...
+yaml_load_vars()
+{
+    local file="$1"
+    shift
+    local data field value
+    data="$(epm tool yaml "$file" 2>/dev/null)"
+    for field in "$@" ; do
+        value="$(printf '%s\n' "$data" | grep "^${field}=" | head -n1 | sed "s/^[^=]*=\"\(.*\)\"$/\1/")"
+        # Use single quotes to prevent command execution in values
+        eval "$field='$(printf '%s' "$value" | sed "s/'/'\\\\''/g")'"
+    done
+}
+
 # compatibility layer
 
 # check if <arg> is a real command

repack.d/generic.sh

@@ -12,6 +12,11 @@ SUBGENERIC="$5"
 # firstly, pack $PRODUCTDIR if used
 . $(dirname $0)/common.sh
 
+# Security: reject packages containing .eepm.yaml (could be used for command injection)
+if find "$BUILDROOT" -name "*.eepm.yaml" 2>/dev/null | grep -q . ; then
+    fatal "Package contains .eepm.yaml file which is not allowed (security risk)"
+fi
+
 # commented out: conflicts with already installed package
 # drop %dir for existed system dirs
 #for i in $(grep '^%dir "' $spec | sed -e 's|^%dir  *"\(.*\)".*|\1|' ) ; do #"
@@ -157,9 +162,8 @@ subst "s|^\(Version: .*\)~.*|\1|" $SPEC
 subst "s|^Release: |Release: epm1.repacked.|" $SPEC
 set_rpm_field "Distribution" "EEPM"
 
-# TODO: check the yaml file!!!
 if [ -r "$PKG.eepm.yaml" ] ; then
-    eval $(epm tool yaml $PKG.eepm.yaml | grep -E '^(summary|description|upstream_file|upstream_url|url|appname|arch|group|license|version)=' ) #'
+    yaml_load_vars "$PKG.eepm.yaml" name summary description upstream_file upstream_url url appname arch group license version
     # for tarballs fix permissions
     chmod $verbose -R a+rX *
     [ -n "$name" ] && [ "$name" != "$PRODUCT" ] && warning "name $name in $PKG.eepm.yaml is not equal to PRODUCT $PRODUCT"