From a160205f7e50127f2af4067a0abe40494c765020 Mon Sep 17 00:00:00 2001
From: Zakir Dzhamaliddinov <zakir.dzhamaliddinov@gmail.com>
Date: Fri, 15 Nov 2024 17:43:29 +0300
Subject: [PATCH] coderabbitai review fixes

---
 lib/command/terraform/base.rb                 |  2 +-
 lib/command/terraform/import.rb               |  4 +--
 spec/command/terraform/import_spec.rb         | 26 ++++++++++++++++---
 ...{verified_dobule.rb => verified_double.rb} |  0
 4 files changed, 26 insertions(+), 6 deletions(-)
 rename spec/support/{verified_dobule.rb => verified_double.rb} (100%)

diff --git a/lib/command/terraform/base.rb b/lib/command/terraform/base.rb
index c0e4518c..6da2fbad 100644
--- a/lib/command/terraform/base.rb
+++ b/lib/command/terraform/base.rb
@@ -2,7 +2,7 @@
 
 module Command
   module Terraform
-    class Base < Base
+    class Base < Command::Base
       private
 
       def templates
diff --git a/lib/command/terraform/import.rb b/lib/command/terraform/import.rb
index 76ff98a2..69ec7293 100644
--- a/lib/command/terraform/import.rb
+++ b/lib/command/terraform/import.rb
@@ -32,7 +32,7 @@ def call
       private
 
       def run_terraform_init
-        result = Shell.cmd("terraform init", capture_stderr: true)
+        result = Shell.cmd("terraform", "init", capture_stderr: true)
 
         if result[:success]
           Shell.info(result[:output])
@@ -42,7 +42,7 @@ def run_terraform_init
       end
 
       def run_terraform_import(address, id)
-        result = Shell.cmd("terraform import #{address} #{id}", capture_stderr: true)
+        result = Shell.cmd("terraform", "import", address, id, capture_stderr: true)
         Shell.info(result[:output])
       end
 
diff --git a/spec/command/terraform/import_spec.rb b/spec/command/terraform/import_spec.rb
index 842bd760..0e3516f1 100644
--- a/spec/command/terraform/import_spec.rb
+++ b/spec/command/terraform/import_spec.rb
@@ -73,7 +73,7 @@
     end
 
     def stub_terraform_init_with(success, output)
-      allow(Shell).to receive(:cmd).with("terraform init", capture_stderr: true).and_return(
+      allow(Shell).to receive(:cmd).with("terraform", "init", capture_stderr: true).and_return(
         success: success, output: output
       )
     end
@@ -104,9 +104,13 @@ def stub_terraform_init_with(success, output)
   end
 
   describe "#run_terraform_import" do
-    subject(:terraform_import) { import_command.send(:run_terraform_import, "resource_address", "resource_id") }
+    subject(:terraform_import) { import_command.send(:run_terraform_import, resource_address, resource_id) }
+
+    let(:resource_address) { "resource_address" }
+    let(:resource_id) { "resource_id" }
 
     before do
+      allow(Shell).to receive(:cmd).and_call_original
       allow(Shell).to receive(:info)
       allow(Shell).to receive(:abort)
     end
@@ -135,9 +139,25 @@ def stub_terraform_init_with(success, output)
       end
     end
 
+    context "with special characters in resource address and resource id" do
+      let(:resource_address) { "cpln_gvc.test-app;rm -rf /" }
+      let(:resource_id) { "test-app;rm -rf /" }
+
+      it "is protected from shell injection" do
+        terraform_import
+
+        expect(Shell).to have_received(:cmd).with(
+          "terraform", "import", resource_address, "test-app;rm -rf /",
+          capture_stderr: true
+        )
+
+        expect(Shell).to have_received(:info).with(/Invalid character/)
+      end
+    end
+
     def stub_terraform_import_with(success, output)
       allow(Shell).to receive(:cmd)
-        .with("terraform import resource_address resource_id", capture_stderr: true)
+        .with("terraform", "import", resource_address, resource_id, capture_stderr: true)
         .and_return(success: success, output: output)
     end
   end
diff --git a/spec/support/verified_dobule.rb b/spec/support/verified_double.rb
similarity index 100%
rename from spec/support/verified_dobule.rb
rename to spec/support/verified_double.rb