Variable not expanding in Double quotes for bash script

Question

I have a bash script where i'm trying to call a curl which is having a variable value as input. When trying to execute the bash script the variable value is not getting expanded in double quotes.

Expected curl in script after variable expansion should be as following:

/usr/bin/curl -s -vvvv http://hmvddrsvr:8044/query/service -u iamusr:pssd -d 'statement=DELETE FROM `test_bucket` WHERE type = "Metadata" AND market = "ES" AND status = "active" AND meta(test_bucket).id="fgsd34sff334" '

Getting executed as follows when observed in debug mode:

/usr/bin/curl -s -vvvv http://hmvddrsvr:8044/query/service -u iamusr:pssd -d 'statement=DELETE FROM `test_bucket` WHERE type = "Metadata" AND market = "ES" AND status = "active" AND meta(test_bucket).id=\""$idp_sub"\" '

My bash script is as follows:

#!/bin/bash

idp_sub=""


for idp_sub in $(cat /opt/SP/jboss/home/mayur/es_idp_sub.txt)

do

/usr/bin/curl -s -vvvv http://hmvddrsvr:8044/query/service -u iamusr:pssd -d 'statement=DELETE FROM `test_bucket` WHERE type = "Metadata" AND market = "ES" AND status = "active" AND meta(test_bucket).id=\""$idp_sub"\" ' -o  /opt/SP/jboss/home/mayur/es_delete_response.txt


done

How does do i expand the variable value within double quotes as shown above in expected output ?

Answer 1

Nothing inside single quotes will be expanded by bash, including any double-quotes, and variable names. The good news is you can end your single-quoted section and immediately start a double-quoted section to introduce the variable, and it will all be concatenated into a single argument for the application (curl). Try:

/usr/bin/curl -s -vvvv http://hmvddrsvr:8044/query/service -u iamusr:pssd -d 'statement=DELETE FROM `test_bucket` WHERE type = "Metadata" AND market = "ES" AND status = "active" AND meta(test_bucket).id=\"'"$idp_sub"'\" ' -o  /opt/SP/jboss/home/mayur/es_delete_response.txt

You can make your code strongly injection-proof by rejecting any string containing a double-quote, but you might reject some strings that have been legitimately escaped.

If you can use the q syntax to quote the string, you can make it more injection-proof, but I guess the attacker just has to inject ]":

/usr/bin/curl -s -vvvv http://hmvddrsvr:8044/query/service -u iamusr:pssd -d 'statement=DELETE FROM `test_bucket` WHERE type = "Metadata" AND market = "ES" AND status = "active" AND meta(test_bucket).id=q\"['"$idp_sub"]'\" ' -o  /opt/SP/jboss/home/mayur/es_delete_response.txt

You could then search for and reject the pattern string ]" as your anti-injection, which will allow a much wider class of legitimate strings. You would have to tell the users that you have applied q[] quoting to their input, so they don't have to.

Answer 2

Your double-quoted string is inside single quotes, where it won't be expanded.

Compare:

foo=bar
echo 'foo=\""$foo\"'
echo 'foo="'"$foo"'"'

In the second example, we end the single quotes, and double-quote $foo, then start new single quotes for the final '.

It's probably easier to read if we expand using printf instead:

printf 'foo=%s\n' "$foo"

That's something you might want to run as a process substitution.

BUT...

This is a wrong and dangerous way to construct an SQL query (and the web server is also poor, if it forwards arbitrary queries - I hope it has no write permissions to the data). Read about "SQL command injection" and come back to this code when you understand the issues.