ssh-based provisioner: Re-enable support for PowerShell

radeksimko · radeksimko · commit 2c32f94e1ad9 · 2025-10-24T21:05:17.000+01:00
diff --git a/internal/communicator/ssh/communicator.go b/internal/communicator/ssh/communicator.go
@@ -436,7 +436,7 @@ func (c *Communicator) Upload(path string, input io.Reader) error {
 		return scpUploadFile(targetFile, input, w, stdoutR, size)
 	}
 
-	cmd, err := quoteShell([]string{"scp", "-vt", targetDir}, c.connInfo.TargetPlatform)
+	cmd, err := quoteScpCommand([]string{"scp", "-vt", targetDir}, c.connInfo.TargetPlatform)
 	if err != nil {
 		return err
 	}
@@ -509,7 +509,7 @@ func (c *Communicator) UploadDir(dst string, src string) error {
 		return uploadEntries()
 	}
 
-	cmd, err := quoteShell([]string{"scp", "-rvt", dst}, c.connInfo.TargetPlatform)
+	cmd, err := quoteScpCommand([]string{"scp", "-rvt", dst}, c.connInfo.TargetPlatform)
 	if err != nil {
 		return err
 	}
@@ -886,14 +886,15 @@ func (c *bastionConn) Close() error {
 	return c.Bastion.Close()
 }
 
-func quoteShell(args []string, targetPlatform string) (string, error) {
+func quoteScpCommand(args []string, targetPlatform string) (string, error) {
 	if targetPlatform == TargetPlatformUnix {
 		return shquot.POSIXShell(args), nil
 	}
 	if targetPlatform == TargetPlatformWindows {
-		return shquot.WindowsArgv(args), nil
+		cmd, args := shquot.WindowsArgvSplit(args)
+		return fmt.Sprintf("%s %s", cmd, args), nil
 	}
 
-	return "", fmt.Errorf("Cannot quote shell command, target platform unknown: %s", targetPlatform)
+	return "", fmt.Errorf("Cannot quote scp command, target platform unknown: %s", targetPlatform)
 
 }
diff --git a/internal/communicator/ssh/communicator_test.go b/internal/communicator/ssh/communicator_test.go
@@ -23,6 +23,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/terraform/internal/communicator/remote"
 	"github.com/zclconf/go-cty/cty"
 	"golang.org/x/crypto/ssh"
@@ -660,7 +661,7 @@ func TestAccHugeUploadFile(t *testing.T) {
 		return scpUploadFile(targetFile, source, w, stdoutR, size)
 	}
 
-	cmd, err := quoteShell([]string{"scp", "-vt", targetDir}, c.connInfo.TargetPlatform)
+	cmd, err := quoteScpCommand([]string{"scp", "-vt", targetDir}, c.connInfo.TargetPlatform)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -680,6 +681,67 @@ func TestAccHugeUploadFile(t *testing.T) {
 	}
 }
 
+func TestQuoteScpCommand(t *testing.T) {
+	testCases := []struct {
+		inputArgs   []string
+		platform    string
+		expectedCmd string
+	}{
+		// valid Unix command
+		{
+			[]string{"scp", "-vt", "/var/path"},
+			TargetPlatformUnix,
+			"'scp' -vt /var/path",
+		},
+
+		// command injection attempt in Unix
+		{
+			[]string{"scp", "-vt", "/var/path;rm"},
+			TargetPlatformUnix,
+			"'scp' -vt /var/path\\;rm",
+		},
+		{
+			[]string{"scp", "-vt", "/var/path&&rm"},
+			TargetPlatformUnix,
+			"'scp' -vt /var/path\\&\\&rm",
+		},
+		{
+			[]string{"scp", "-vt", "/var/path|rm"},
+			TargetPlatformUnix,
+			"'scp' -vt /var/path\\|rm",
+		},
+		{
+			[]string{"scp", "-vt", "/var/path; rm"},
+			TargetPlatformUnix,
+			"'scp' -vt '/var/path; rm'",
+		},
+
+		// valid Windows command
+		{
+			[]string{"scp", "-vt", "C:\\Windows\\Temp"},
+			TargetPlatformWindows,
+			"scp -vt C:\\Windows\\Temp",
+		},
+
+		// command injection attempt in Windows
+		{
+			[]string{"scp", "-vt", "C:\\Windows\\Temp\";rmdir"},
+			TargetPlatformWindows,
+			"scp -vt \"C:\\Windows\\Temp\\\";rmdir\"",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd, err := quoteScpCommand(tc.inputArgs, tc.platform)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if diff := cmp.Diff(tc.expectedCmd, cmd); diff != "" {
+			t.Fatalf("unexpected command: %s", diff)
+		}
+	}
+}
+
 func TestScriptPath(t *testing.T) {
 	cases := []struct {
 		Input   string

Original file line number	Diff line number	Diff line change
`@@ -436,7 +436,7 @@ func (c *Communicator) Upload(path string, input io.Reader) error {`
`436`	`436`	`return scpUploadFile(targetFile, input, w, stdoutR, size)`
`437`	`437`	`}`
`438`	`438`
`439`		`- cmd, err := quoteShell([]string{"scp", "-vt", targetDir}, c.connInfo.TargetPlatform)`
	`439`	`+ cmd, err := quoteScpCommand([]string{"scp", "-vt", targetDir}, c.connInfo.TargetPlatform)`
`440`	`440`	`if err != nil {`
`441`	`441`	`return err`
`442`	`442`	`}`
`@@ -509,7 +509,7 @@ func (c *Communicator) UploadDir(dst string, src string) error {`
`509`	`509`	`return uploadEntries()`
`510`	`510`	`}`
`511`	`511`
`512`		`- cmd, err := quoteShell([]string{"scp", "-rvt", dst}, c.connInfo.TargetPlatform)`
	`512`	`+ cmd, err := quoteScpCommand([]string{"scp", "-rvt", dst}, c.connInfo.TargetPlatform)`
`513`	`513`	`if err != nil {`
`514`	`514`	`return err`
`515`	`515`	`}`
`@@ -886,14 +886,15 @@ func (c *bastionConn) Close() error {`
`886`	`886`	`return c.Bastion.Close()`
`887`	`887`	`}`
`888`	`888`
`889`		`-func quoteShell(args []string, targetPlatform string) (string, error) {`
	`889`	`+func quoteScpCommand(args []string, targetPlatform string) (string, error) {`
`890`	`890`	`if targetPlatform == TargetPlatformUnix {`
`891`	`891`	`return shquot.POSIXShell(args), nil`
`892`	`892`	`}`
`893`	`893`	`if targetPlatform == TargetPlatformWindows {`
`894`		`- return shquot.WindowsArgv(args), nil`
	`894`	`+ cmd, args := shquot.WindowsArgvSplit(args)`
	`895`	`+ return fmt.Sprintf("%s %s", cmd, args), nil`
`895`	`896`	`}`
`896`	`897`
`897`		`- return "", fmt.Errorf("Cannot quote shell command, target platform unknown: %s", targetPlatform)`
	`898`	`+ return "", fmt.Errorf("Cannot quote scp command, target platform unknown: %s", targetPlatform)`
`898`	`899`
`899`	`900`	`}`