Quote variables in destructive commands (#9400 P0)

[iav]

Summary

• Quote all variable expansions passed to destructive commands (rm, mv, cp, mount, umount, losetup, sed -i, mkdir, mkfs, echo >>, blkid, chroot, etc.) to prevent word splitting — the highest-priority safety fix from Proposal: Improve Bash syntax safety across the codebase #9400
• Replace [ ! -z ] / [ -z ] with [[ -n ]] / [[ -z ]] where they guard destructive operations
• Fix unquoted array expansion ${megous_trees[@]} → "${megous_trees[@]}"

Files changed (one commit per file)

• extensions/image-output-abl.sh
• extensions/uwe5622-allwinner.sh
• extensions/cloud-init/cloud-init.sh
• extensions/lvm.sh
• extensions/allwinner-kernel-bump.sh
• lib/functions/image/partitioning.sh

Heredoc documentation blocks inside call_extension_method are intentionally left unchanged.

Test plan

• shellcheck passes with no new warnings
• Visual diff review — only quoting changes, no logic changes
• Build test with a real board

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved shell script robustness across kernel, cloud-init, image output, LVM, partitioning and init workflows by consistently quoting variables, arrays and paths.
  • Safer handling of files, directories and device/device-paths (including names with spaces or special characters), reducing risk of failures during image creation, mounting and setup.
  • No functional or behavioral changes; workflows and outputs remain unchanged.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)

• Needs review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4f35ab77-5ec2-4674-85e3-f91412969be4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Multiple shell scripts and a partitioning library were updated to consistently quote variable expansions and file paths (e.g., "${SDCARD}", "${config_src}", "${kernel_work_dir}"). Changes are syntactic only and do not alter control flow, interfaces, or runtime behavior.

Changes

Cohort / File(s)	Summary
Kernel & image tooling extensions/allwinner-kernel-bump.sh, extensions/image-output-abl.sh	Added quoting around variable references, paths, array iterations, git/patch operations and image file commands; preserved original control flow.
Cloud-init & board extensions extensions/cloud-init/cloud-init.sh, extensions/uwe5622-allwinner.sh	Quoted cp/mv/rm/chroot/install/mkdir and SD card/config paths to prevent word-splitting; no behavioral changes.
LVM setup extensions/lvm.sh	Quoted device/partition/mapper and log paths across PV/VG/LV creation, mapping, rootdevice assignment, and logging.
Partitioning library lib/functions/image/partitioning.sh	Widespread quoting of SDCARD, LOOP, partition variables and paths used in mkfs/mount/blkid/fstab/boot edits and other file operations; logic unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Proposal: Improve Bash syntax safety across the codebase #9400 — Implements Bash-syntax-safety fixes (quoting, [[ ]], safer array handling) that match patterns and objectives present in this PR.

Poem

🐰 I found loose paths and wrapped them tight in quotes,
No stray spaces now jump boats or cause misnotes,
A gentle hop through scripts, tidy and neat,
Safe commands and calm mounts — carrots for the feat! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: quoting variables in destructive commands, which is the core objective of all six modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@extensions/image-output-abl.sh`:
- Around line 58-69: The cat command is using the loop variable dtb_name (which
contains the last element) causing an inconsistent DTB to be concatenated;
update the cat invocation to use the first ABL DTB reference ${ABL_DTB_LIST[0]}
instead of ${dtb_name} so it matches the display_alert and the --kernel argument
passed to mkbootimg (ensure the temporary file name and the --kernel value both
derive from ${ABL_DTB_LIST[0]} to keep them consistent with DESTIMG,
new_rootfs_image_mount_dir, and version).

🧹 Nitpick comments (1)

lib/functions/image/partitioning.sh (1)

352-387: Unquoted variables in heredoc extension hooks still carry word-splitting risk.

The heredoc blocks passed to call_extension_method at lines 352–362 and 371–387 contain unquoted variables in destructive commands (e.g., btrfs subvolume create $MOUNT/@home, echo ... >> $SDCARD/etc/fstab). The PR description notes these are intentionally excluded, but since this code is executed (not just documentation), it has the same word-splitting risk the rest of the PR addresses.

Consider a follow-up to quote these as well, or document why they're excluded (e.g., if the heredoc quoting context makes it non-trivial).

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

lib/functions/image/partitioning.sh (1)

350-350: ⚠️ Potential issue | 🟡 Minor

Unquoted $MOUNT/$btrfs_root_subvolume inside string argument.

Line 350 passes an unquoted path as a string to run_host_command_logged. Since this function executes via bash -c "$*", the inner shell will word-split $MOUNT/$btrfs_root_subvolume if either variable contains spaces. The adjacent line 346 was already fixed — this one appears to have been missed.

Proposed fix

-		run_host_command_logged "btrfs subvolume set-default $MOUNT/$btrfs_root_subvolume"
+		run_host_command_logged "btrfs subvolume set-default '$MOUNT/$btrfs_root_subvolume'"

Note: Since run_host_command_logged concatenates args into bash -c "$*", embedding single quotes inside the string protects the path in the inner shell. Alternatively, pass as separate arguments like line 346 does: run_host_command_logged btrfs subvolume set-default "$MOUNT/$btrfs_root_subvolume".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/functions/image/partitioning.sh` at line 350, The call to
run_host_command_logged uses an unquoted expansion run_host_command_logged
"btrfs subvolume set-default $MOUNT/$btrfs_root_subvolume" which allows
word-splitting if $MOUNT or $btrfs_root_subvolume contain spaces; change the
invocation to pass the command and the path as separate arguments so the path is
quoted by the outer shell (e.g., call run_host_command_logged btrfs subvolume
set-default "$MOUNT/$btrfs_root_subvolume") or alternatively embed the path in
single quotes within the string, ensuring the variables are properly quoted to
prevent splitting; update the invocation that contains run_host_command_logged
and the variables MOUNT and btrfs_root_subvolume accordingly.

🧹 Nitpick comments (1)

lib/functions/image/partitioning.sh (1)

434-434: Minor: inconsistent quoting style for ${SDCARD}.

Line 434 quotes "${SDCARD}/etc/fstab" — good. But line 433 (unchanged) uses $SDCARD/etc/fstab unquoted in the display_alert argument. Not a safety issue since display_alert isn't destructive, just noting the inconsistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/functions/image/partitioning.sh` at line 434, The display_alert call uses
an unquoted $SDCARD while later code appends to "${SDCARD}/etc/fstab", causing
inconsistent quoting; update the display_alert invocation to use "${SDCARD}"
(i.e., change $SDCARD/... to "${SDCARD}/...") so the SDCARD variable is quoted
consistently across the script (refer to the display_alert call and the
"${SDCARD}/etc/fstab" append).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@lib/functions/image/partitioning.sh`:
- Line 350: The call to run_host_command_logged uses an unquoted expansion
run_host_command_logged "btrfs subvolume set-default
$MOUNT/$btrfs_root_subvolume" which allows word-splitting if $MOUNT or
$btrfs_root_subvolume contain spaces; change the invocation to pass the command
and the path as separate arguments so the path is quoted by the outer shell
(e.g., call run_host_command_logged btrfs subvolume set-default
"$MOUNT/$btrfs_root_subvolume") or alternatively embed the path in single quotes
within the string, ensuring the variables are properly quoted to prevent
splitting; update the invocation that contains run_host_command_logged and the
variables MOUNT and btrfs_root_subvolume accordingly.

---

Nitpick comments:
In `@lib/functions/image/partitioning.sh`:
- Line 434: The display_alert call uses an unquoted $SDCARD while later code
appends to "${SDCARD}/etc/fstab", causing inconsistent quoting; update the
display_alert invocation to use "${SDCARD}" (i.e., change $SDCARD/... to
"${SDCARD}/...") so the SDCARD variable is quoted consistently across the script
(refer to the display_alert call and the "${SDCARD}/etc/fstab" append).

[coderabbitai]

♻️ Duplicate comments (1)

extensions/image-output-abl.sh (1)

59-59: ⚠️ Potential issue | 🟡 Minor

Pre-existing bug: ${dtb_name} on the recovery image cat uses the last loop value, not ${ABL_DTB_LIST[0]}.

Line 58's display_alert and line 61's --kernel both reference ${ABL_DTB_LIST[0]}, but the cat on line 59 still reads ${dtb_name} — which retains whatever value the for loop left it with (the last element of ABL_DTB_LIST). This means the recovery kernel image is silently built from the wrong DTB when the list has more than one entry.

🐛 Proposed fix

-		cat "${DESTIMG}/Image.gz" "${new_rootfs_image_mount_dir}"/usr/lib/linux-image-*/qcom/"${dtb_name}.dtb" > "${DESTIMG}/Image.gz-${dtb_name}"
+		cat "${DESTIMG}/Image.gz" "${new_rootfs_image_mount_dir}"/usr/lib/linux-image-*/qcom/"${ABL_DTB_LIST[0]}.dtb" > "${DESTIMG}/Image.gz-${ABL_DTB_LIST[0]}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@extensions/image-output-abl.sh` at line 59, The cat command that builds the
recovery kernel image is using the loop variable ${dtb_name} (which ends up as
the last element) instead of the first DTB entry referenced elsewhere; update
the cat invocation that writes "${DESTIMG}/Image.gz-${dtb_name}" to use the
first list element "${ABL_DTB_LIST[0]}" so it matches the display_alert and
--kernel usage and ensures the recovery image is created from ABL_DTB_LIST[0];
confirm the replacement in the command that reads from
"${new_rootfs_image_mount_dir}/usr/lib/linux-image-*/qcom/" and that filename
construction remains correct.

🧹 Nitpick comments (1)

lib/functions/image/partitioning.sh (1)

323-323: Consider adding a shellcheck disable=SC2086 comment for ${fscreateopt} to match the pattern established for ${mkopts} at line 404.

${fscreateopt} must remain unquoted so -o compress-force=… word-splits into two arguments, and it correctly expands to zero words when unset. The same intentional-unquoting rationale applies here as at line 404, but no annotation was added at this site (or at line 366).

♻️ Proposed fix

+		# shellcheck disable=SC2086 # fscreateopt must word-split into "-o" and "compress-force=..." when set
 		run_host_command_logged mount ${fscreateopt} "$rootdevice" "$MOUNT"/

And similarly at line 366:

+		# shellcheck disable=SC2086 # fscreateopt must word-split into "-o" and "compress-force=..." when set
 		run_host_command_logged mount -odefaults,${mountopts[$ROOTFS_TYPE]} ${fscreateopt} "$rootdevice" "$MOUNT"/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/functions/image/partitioning.sh` at line 323, The mount call uses an
intentional unquoted variable ${fscreateopt} (in the run_host_command_logged
mount invocation) and needs a shellcheck exemption like the existing ${mkopts}
usage; add a comment "# shellcheck disable=SC2086" immediately above the
run_host_command_logged mount "${fscreateopt}" expansion to document the
deliberate word-splitting/empty expansion behavior, and add the same exemption
at the other site where ${fscreateopt} is intentionally unquoted (the earlier
run_host_command_logged invocation that mirrors the mkopts pattern).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@extensions/image-output-abl.sh`:
- Line 59: The cat command that builds the recovery kernel image is using the
loop variable ${dtb_name} (which ends up as the last element) instead of the
first DTB entry referenced elsewhere; update the cat invocation that writes
"${DESTIMG}/Image.gz-${dtb_name}" to use the first list element
"${ABL_DTB_LIST[0]}" so it matches the display_alert and --kernel usage and
ensures the recovery image is created from ABL_DTB_LIST[0]; confirm the
replacement in the command that reads from
"${new_rootfs_image_mount_dir}/usr/lib/linux-image-*/qcom/" and that filename
construction remains correct.

---

Nitpick comments:
In `@lib/functions/image/partitioning.sh`:
- Line 323: The mount call uses an intentional unquoted variable ${fscreateopt}
(in the run_host_command_logged mount invocation) and needs a shellcheck
exemption like the existing ${mkopts} usage; add a comment "# shellcheck
disable=SC2086" immediately above the run_host_command_logged mount
"${fscreateopt}" expansion to document the deliberate word-splitting/empty
expansion behavior, and add the same exemption at the other site where
${fscreateopt} is intentionally unquoted (the earlier run_host_command_logged
invocation that mirrors the mkopts pattern).

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 10b5ba5 and 2f75e1c.

📒 Files selected for processing (6)

• extensions/allwinner-kernel-bump.sh
• extensions/cloud-init/cloud-init.sh
• extensions/image-output-abl.sh
• extensions/lvm.sh
• extensions/uwe5622-allwinner.sh
• lib/functions/image/partitioning.sh

🚧 Files skipped from review as they are similar to previous changes (3)

• extensions/cloud-init/cloud-init.sh
• extensions/lvm.sh
• extensions/allwinner-kernel-bump.sh

[iav]

rebased

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!