From cb9bccbda4935888ee468759fae2c12f5dbd44e9 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Mon, 15 Jan 2024 23:01:57 +0100
Subject: [PATCH] Wrap Bash snippets in a subshell when generating a fix script

Bring the behavior of the generated Bash script closer to one
we have with oscap xccdf eval --remediate.

This will ensure snippet isolation and protect the script flow
from possible intrusive commands and settings (exit, trap etc).
---
 src/XCCDF_POLICY/xccdf_policy_remediate.c | 4 ++--
 tests/API/XCCDF/fix/all.sh                | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
index 521633dd6e..92a8600d23 100644
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
@@ -633,7 +633,7 @@ static int _write_fix_header_to_fd(const char *sys, int output_fd, struct xccdf_
 				"###############################################################################\n"
 				"# BEGIN fix (%i / %i) for '%s'\n"
 				"###############################################################################\n"
-				"(>&2 echo \"Remediating rule %i/%i: '%s'\")\n",
+				"(>&2 echo \"Remediating rule %i/%i: '%s'\"); (\n",
 				current, total, xccdf_rule_get_id(rule), current, total, xccdf_rule_get_id(rule));
 		return _write_text_to_fd_and_free(output_fd, fix_header);
 	} else {
@@ -644,7 +644,7 @@ static int _write_fix_header_to_fd(const char *sys, int output_fd, struct xccdf_
 static int _write_fix_footer_to_fd(const char *sys, int output_fd, struct xccdf_rule *rule)
 {
 	if (oscap_streq(sys, "") || oscap_streq(sys, "urn:xccdf:fix:script:sh") || oscap_streq(sys, "urn:xccdf:fix:commands")) {
-		char *fix_footer = oscap_sprintf("\n# END fix for '%s'\n\n", xccdf_rule_get_id(rule));
+		char *fix_footer = oscap_sprintf("\n) # END fix for '%s'\n\n", xccdf_rule_get_id(rule));
 		return _write_text_to_fd_and_free(output_fd, fix_footer);
 	} else {
 		return 0;
diff --git a/tests/API/XCCDF/fix/all.sh b/tests/API/XCCDF/fix/all.sh
index 5ad60840be..a21f8d4280 100755
--- a/tests/API/XCCDF/fix/all.sh
+++ b/tests/API/XCCDF/fix/all.sh
@@ -16,7 +16,7 @@ function test_generate_fix {
     # `tail -n +2` to skip the first line with progress reporting
     local GENERATED_FIX RELEVANT_FIX_CONTENTS
     GENERATED_FIX=$($OSCAP xccdf generate fix --result-id "$TESTRESULT_ID" "$INPUT")
-    RELEVANT_FIX_CONTENTS=$(grep -v -E "^([\t ]*|[\t ]*#.*)$" <<< "$GENERATED_FIX" | tail -n +2)
+    RELEVANT_FIX_CONTENTS=$(grep -v -E "^([\t ]*|[\t ]*#.*|\) #.*)$" <<< "$GENERATED_FIX" | tail -n +2)
     if [ "$?" != "0" ]; then
         return 1
     fi