Shellescape command input

lib/kamal/secrets/adapters/bitwarden.rb

@@ -4,7 +4,7 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
       status = run_command("status")
 
       if status["status"] == "unauthenticated"
-        run_command("login #{account}")
+        run_command("login #{account.shellescape}", raw: true)
         status = run_command("status")
       end
 
@@ -24,7 +24,7 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
     def fetch_from_vault(secrets, account:, session:)
       {}.tap do |results|
         items_fields(secrets).each do |item, fields|
-          item_json = run_command("get item #{item}", session: session, raw: true)
+          item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
           raise RuntimeError, "Could not read #{secret} from Bitwarden" unless $?.success?
           item_json = JSON.parse(item_json)
 
@@ -57,7 +57,7 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
     end
 
     def run_command(command, session: nil, raw: false)
-      full_command = [ *("BW_SESSION=#{session}" if session), "bw", command ].join(" ")
+      full_command = [ *("BW_SESSION=#{session.shellescape}" if session), "bw", command ].join(" ")
       result = `#{full_command}`.strip
       raw ? result : JSON.parse(result)
     end

lib/kamal/secrets/adapters/last_pass.rb

@@ -2,7 +2,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
   private
     def login(account)
       unless loggedin?(account)
-        `lpass login #{account}`
+        `lpass login #{account.shellescape}`
         raise RuntimeError, "Failed to login to 1Password" unless $?.success?
       end
     end
@@ -12,7 +12,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
     end
 
     def fetch_from_vault(secrets, account:, session:)
-      items = `lpass show #{secrets.join(" ")} --json`
+      items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
       raise RuntimeError, "Could not read #{secrets} from 1Password" unless $?.success?
 
       items = JSON.parse(items)

lib/kamal/secrets/adapters/one_password.rb

@@ -11,7 +11,7 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
     end
 
     def loggedin?(account)
-      `op account get --account #{account}`
+      `op account get --account #{account.shellescape}`
       $?.success?
     end
 
@@ -54,7 +54,7 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
       labels = fields.map { |field| "label=#{field}" }.join(",")
       options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
 
-      `op item get #{item} #{options}`.tap do
+      `op item get #{item.shellescape} #{options}`.tap do
         raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
       end
     end