From 9471496e9b6c074a916f357e2caa3f099d429d6c Mon Sep 17 00:00:00 2001
From: Arthur BOUDREAULT <arthur@lydra.fr>
Date: Tue, 12 Oct 2021 14:00:56 +0000
Subject: [PATCH] =?UTF-8?q?=E2=99=BBrefactor:=20Command=20ansible=20module?=
 =?UTF-8?q?=20across=20the=20repo=20for=20better=20security?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Shell module is not needed here.

According to various sources (https://www.youtube.com/watch?v=57gAqKvAKck or https://stackoverflow.com/questions/56663332/difference-between-shell-and-command-in-ansible) it is not useful to use shell ansible module when not working with operands. Therefore I have decided to switch every actions to command module, more secure. Ansible-lint says "Shell should only be used when piping, redirecting or chaining commands"
---
 tasks/apps.yml    |  4 ++--
 tasks/domains.yml |  4 ++--
 tasks/main.yml    | 12 ++++++------
 tasks/users.yml   | 14 +++++++-------
 4 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/tasks/apps.yml b/tasks/apps.yml
index a0e7a50..bf55203 100644
--- a/tasks/apps.yml
+++ b/tasks/apps.yml
@@ -1,6 +1,6 @@
 ---
 - name: List currently installed apps
-  ansible.builtin.shell: yunohost app map --output-as json
+  ansible.builtin.command: yunohost app map --output-as json
   register: ynh_installed_apps_raw
   changed_when: False
 
@@ -8,7 +8,7 @@
   ansible.builtin.set_fact: ynh_installed_apps="{{ ynh_installed_apps_raw.stdout | from_json }}"
 
 - name: Install yunohost apps
-  ansible.builtin.shell: yunohost app install {{ item.link }} \
+  ansible.builtin.command: yunohost app install {{ item.link }} \
      --label "{{ item.label }}" \
      --args "{% for key, value in item.args.items() %}{{ key }}={{ value 
     }}{% if not loop.last %}&{% endif %}{% endfor %}"
diff --git a/tasks/domains.yml b/tasks/domains.yml
index db41c0a..7c9ad27 100644
--- a/tasks/domains.yml
+++ b/tasks/domains.yml
@@ -1,6 +1,6 @@
 ---
 - name: List currently installed domains
-  ansible.builtin.shell: yunohost domain list --output-as json
+  ansible.builtin.command: yunohost domain list --output-as json
   register: ynh_installed_domains_raw
   changed_when: False
 
@@ -8,6 +8,6 @@
   ansible.builtin.set_fact: ynh_installed_domains="{{ ynh_installed_domains_raw.stdout | from_json }}"
 
 - name: Create domains
-  ansible.builtin.shell: yunohost domain add {{ item }}
+  ansible.builtin.command: yunohost domain add {{ item }}
   with_items: "{{ ynh_extra_domains }}"
   when: item not in ynh_installed_domains.domains
diff --git a/tasks/main.yml b/tasks/main.yml
index 3d9e9ba..419d4e0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -22,11 +22,11 @@
   when: ynh_file_install.stat.exists == False
 
 - name: Launch Yunohost postinstall
-  ansible.builtin.shell: "
+  ansible.builtin.command:
     yunohost tools postinstall \
-      --domain {{ ynh_main_domain }} \
-      --password {{ ynh_admin_password }} \
-      {% if ynh_ignore_dyndns_server == True %} --ignore-dyndns {% endif %}"
+      --domain "{{ ynh_main_domain }}" \
+      --password "{{ ynh_admin_password }}" \
+      {% if ynh_ignore_dyndns_server == True %} --ignore-dyndns {% endif %}
   when: ynh_file_install.stat.exists == False
 
 - name: Create extra domains
@@ -34,10 +34,10 @@
   when: ynh_extra_domains
 
 - name: Run first Yunohost diagnosis
-  ansible.builtin.shell: yunohost diagnosis run
+  ansible.builtin.command: yunohost diagnosis run
 
 - name: Install domain certificates
-  ansible.builtin.shell: yunohost domain cert-install
+  ansible.builtin.command: yunohost domain cert-install
   changed_when: False
 
 - name: Add Yunohost users
diff --git a/tasks/users.yml b/tasks/users.yml
index f3e7eb1..ac3e087 100644
--- a/tasks/users.yml
+++ b/tasks/users.yml
@@ -1,6 +1,6 @@
 ---
 - name: List users
-  ansible.builtin.shell: yunohost user list --output-as json
+  ansible.builtin.command: yunohost user list --output-as json
   register: ynh_registered_users_raw
   changed_when: False
 
@@ -8,11 +8,11 @@
   ansible.builtin.set_fact: ynh_registered_users="{{ ynh_registered_users_raw.stdout | from_json }}"
 
 - name: Create missing Yunohost users
-  ansible.builtin.shell: |
-    yunohost user create {{ item.name }} \
-    -f {{ item.firstname }} \
-    -l {{ item.lastname }} \
-    -d {{ item.mail_domain }} \
-    -p {{ item.pass }}
+  ansible.builtin.command:
+    yunohost user create "{{ item.name }}" \
+    -f "{{ item.firstname }}" \
+    -l "{{ item.lastname }}" \
+    -d "{{ item.mail_domain }}" \
+    -p "{{ item.pass }}"
   loop: "{{ ynh_users }}"
   when: item.name not in ynh_registered_users.users.keys()
-- 
GitLab