From 1bf8ef6d7db18895771285ade1dd4f432a77f87b Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith84@proton.me>
Date: Sat, 6 Jun 2026 09:22:57 -0700
Subject: [PATCH] Avoid shell interpretation of HAB_LISTEN_CTL in secrets
 bootstrap

The secrets bootstrap loop built a 'hab config apply' command as a
single string and ran it with `system cmd`, appending the value of the
HAB_LISTEN_CTL environment variable unescaped:

    cmd += " --remote-sup #{sup_listen_ctl}" if sup_listen_ctl
    system cmd

Passing a single string to system runs it through a shell, so any shell
metacharacters in HAB_LISTEN_CTL would be interpreted rather than passed
to hab as a literal argument.

Build an explicit argument vector and call system(*cmd) so no shell is
involved and the environment variable is treated as a single literal
argument. The Habitat template placeholder is unchanged and continues
to be rendered before the script runs.

Signed-off-by: Tim Smith <tsmith84@proton.me>
---
 .../habitat/config/secrets-bootstrap.rb                | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/chef-server-ctl/habitat/config/secrets-bootstrap.rb b/src/chef-server-ctl/habitat/config/secrets-bootstrap.rb
index 40410fb955..ef0ab747c6 100644
--- a/src/chef-server-ctl/habitat/config/secrets-bootstrap.rb
+++ b/src/chef-server-ctl/habitat/config/secrets-bootstrap.rb
@@ -86,10 +86,14 @@ def secrets_apply_loop
     puts "Changed Secrets need to be applied."
     File.write("{{pkg.svc_data_path}}/hab-secrets-modified.toml", TOML::Generator.new(new_secrets).body)
     version = Time.now.getutc.to_i
-    cmd = "hab config apply chef-server-ctl.default #{version} {{pkg.svc_data_path}}/hab-secrets-modified.toml"
+    # Invoke hab with an explicit argument vector (no shell) so the value
+    # of HAB_LISTEN_CTL is passed as a literal argument rather than being
+    # interpreted by a shell.
+    cmd = ["hab", "config", "apply", "chef-server-ctl.default", version.to_s,
+           "{{pkg.svc_data_path}}/hab-secrets-modified.toml"]
     sup_listen_ctl = ENV["HAB_LISTEN_CTL"]
-    cmd += " --remote-sup #{sup_listen_ctl}" if sup_listen_ctl
-    system cmd
+    cmd += ["--remote-sup", sup_listen_ctl] if sup_listen_ctl
+    system(*cmd)
   else
     puts "Secrets Unchanged - nothing to do."
   end