如何避免Shell脚本Sed修改密码变量内容

Question

When i am trying to sed as below

sed -e 's,</Context>,<Resource name="ABC"  password="'"$DB_PASS"'"/>\n&,' -i /path

sed is truncating backslash.

For example

DB_PASS='1!2@3#4$5%6^7&8*9(0)[{]}\|'

O/p is

<Resource name="jdbc/KARDB" 
 password=""1!2@3#4$5%6^7</Context>8*9(0)[{]}|""/> </Context>

if my DB_PASS contains backslash, &, single quote double quote anyother spl characters i dont want sed to change password contents. but substitute as it is.

Thanks, Kusuma

Answer 1

The specific problem you run into is that your password contains & , which in the replacement part of an s command refers to the matched text.

As has become a litany of mine, it is generally not a good idea to substitute shell variables into sed code precisely for reasons like these: sed cannot differentiate between code and your data. This is one of the more harmless things that could go wrong; imagine what GNU sed would have done if someone had entered a password like rm -Rf /,e # .

A direct replacement with GNU awk (it has to be gawk because RT is GNU-specific) could be

DB_PASS="$DB_PASS" gawk -v RS='</Context>' '{ printf $0; if(RT == RS) { print "<Resource name=\"jdbc/KARDB\" password=\"" ENVIRON["DB_PASS"] "\"/>" } printf RT }'

The usual -v dbpass="$DB_PASS" trick does not work here because you don't even want escape sequences interpreted, so we forcefully add DB_PASS to awk 's environment and take it from there. Add -i inplace to awk's options if you want the file to be changed in place and you have GNU awk 4.1.0 or later, although I usually use cp file file~; awk ... file~ > file cp file file~; awk ... file~ > file to have a backup in case things go wrong.

There's a problem, however: how do you handle " in passwords? Might be a good idea to do something like dbpass = ENVIRON["DB_PASS"]; gsub(/"/, """, dbpass); and use dbpass in the output. And the same for all other critical characters, such as < and > .

Since you appear to be parsing XML data, it would be better to use an XML-based tool, so that you don't run into problems when the Context tag is empty and written as <Context/> , and to avoid the above problem (which could be a rather big one). For example, with xmlstarlet you could do something like this:

xmlstarlet ed -s '//Context' -t elem -n Resource -i '//Context/Resource[not(@name)]' -t attr -n name -v 'jdbc/KARDB' -i '//Context/Resource[@name="jdbc/KARDB"]' -t attr -n password -v "$DB_PASS"

This consists of three steps:

-s '//Context' -t elem -n Resource

inserts an empty Resource subnode under every Context node (this is fine if there's only one; otherwise you might want to specify it in more detail)

-i '//Context/Resource[not(@name)]' -t attr -n name -v 'jdbc/KARDB'

inserts an attribute name="jdbc/KARDB" in every Context/Resource node that has no name (which is hopefully only the one we just inserted), and

-i '//Context/Resource[@name="jdbc/KARDB"]' -t attr -n password -v "$DB_PASS"

inserts a password attribute with the value of $DB_PASS (properly quoted) in every Resource node under a Context node whose name attribute has the value jdbc/KARDB (again, this should be only the node we just inserted). For a more perfect solution that inserts the whole node in one go, you'll want to take a closer look at xslt, but if you were happy with the original sed approach, none of the shortcomings of this approach should be a problem.