From 7108152ff4b75c588534f0b238a40cf448941d98 Mon Sep 17 00:00:00 2001
From: Max Harmathy <harmathy@mailbox.org>
Date: Mon, 17 Oct 2022 16:06:36 +0200
Subject: [PATCH 1/5] Add Github action for running shellcheck

---
 .github/workflows/main.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 .github/workflows/main.yml

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..64f1d5e
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,13 @@
+on:
+  push:
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master
+        with:
+          additional_files: 'harden'

From 8ab4be911e08623c80acd2ed380ca091cb3c80f7 Mon Sep 17 00:00:00 2001
From: Max Harmathy <harmathy@mailbox.org>
Date: Mon, 17 Oct 2022 15:20:49 +0200
Subject: [PATCH 2/5] Make it clear, this is a posix sh script

Add shebang to indicate, that this script is a posix sh shell script.
This eliminates relying on implicit wrapping of commands into some shell
by docker and allows static analysis with shellcheck.
---
 harden | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/harden b/harden
index 71b4580..f0dce28 100755
--- a/harden
+++ b/harden
@@ -1,4 +1,4 @@
-
+#!/bin/sh
 #
 # License
 #

From 027c203e59a7e3c6bd6a3711341cb97f4a2d7a7a Mon Sep 17 00:00:00 2001
From: Max Harmathy <harmathy@mailbox.org>
Date: Mon, 17 Oct 2022 15:21:40 +0200
Subject: [PATCH 3/5] Consistent indetation with two spaces

---
 harden | 174 ++++++++++++++++++++++++++-------------------------------
 1 file changed, 80 insertions(+), 94 deletions(-)

diff --git a/harden b/harden
index f0dce28..287b451 100755
--- a/harden
+++ b/harden
@@ -5,10 +5,9 @@
 # GNU Affero General Public License Version 3.0, https://www.gnu.org/licenses/agpl-3.0.en.html
 #
 
+usage() {
 
-usage(){
-
-cat <<EOF
+  cat <<EOF
 $0 [-x] -d <dynamically linked> -f <files and dirs> -r <files to remove> -u user <files to chown to user> -c <chmod to be world writable>" 
       -x Activates debugging
       -d Files are considered dynamically linked
@@ -25,121 +24,108 @@ EOF
 
 }
 
-create_dir(){
+create_dir() {
   HARDEN=/tmp/harden
   mkdir -p $HARDEN
 
-  for i in $*
-  do
+  for i in $*; do
     DIR=$HARDEN/$(dirname $i)
-   
+
     mkdir -p "$DIR"
-    [ -d $HARDEN/"$i" ] || cp -a "$i" $HARDEN/$i 
-    
- done
+    [ -d $HARDEN/"$i" ] || cp -a "$i" $HARDEN/$i
+
+  done
 }
 
-next_section(){
-  [ $# -gt 0 ] && [ `echo $1 | head -c 1` != '-' ] && return 0
+next_section() {
+  [ $# -gt 0 ] && [ $(echo $1 | head -c 1) != '-' ] && return 0
   return 1
 }
 
-ldd_filter(){
-  sed 's+\t*++' |\
-  sed 's+.*=>\ ++' |\
-  sed 's+\ .*$++'
+ldd_filter() {
+  sed 's+\t*++' \
+    | sed 's+.*=>\ ++' \
+    | sed 's+\ .*$++'
 }
 
-link_filter(){
-  for f in $(find "$1")
-  do
+link_filter() {
+  for f in $(find "$1"); do
     echo $f
-    if [ -L $f ] 
-      then
-        LINK=$(readlink $f) 
-        if [ `echo $LINK | head -c 1` = '/' ]
-        then
-          echo $LINK
-        else
-          echo $(dirname $f)/$(readlink $f)
-        fi
-     fi
-   done
+    if [ -L $f ]; then
+      LINK=$(readlink $f)
+      if [ $(echo $LINK | head -c 1) = '/' ]; then
+        echo $LINK
+      else
+        echo $(dirname $f)/$(readlink $f)
+      fi
+    fi
+  done
 }
 
+extract() {
 
-extract(){
-
-  while [ $# -ne 0 ]
-  do	  
+  while [ $# -ne 0 ]; do
     case $1 in
-    -x) # enable debugging
-
-      set -x 
-      shift
-      ;;
-
-    -d)     # dynamically linked executables
-    
-      shift
-      while next_section $*
-      do
-        for f in $(ldd "$1" | ldd_filter) $1
-        do
-          link_filter $f
+      -x) # enable debugging
+
+        set -x
+        shift
+        ;;
+
+      -d) # dynamically linked executables
+
+        shift
+        while next_section $*; do
+          for f in $(ldd "$1" | ldd_filter) $1; do
+            link_filter $f
+          done
+          shift
         done
+        ;;
+
+      -f) # files and links
+
         shift
-      done
-      ;;
-
-    -f) # files and links
-    
-      shift
-      while next_section $*
-      do
-        link_filter $1
+        while next_section $*; do
+          link_filter $1
+          shift
+        done
+        ;;
+
+      -r) # files to remove
         shift
-      done
-      ;;
-
-    -r) # files to remove
-      shift
-      while next_section $*
-      do
-        rm $1
+        while next_section $*; do
+          rm $1
+          shift
+        done
+        ;;
+
+      -u) # change owner and grant access
         shift
-      done
-      ;;
-
-    -u)  # change owner and grant access    
-      shift
-      OWNER=$1
-      shift
-      while next_section $*
-      do
-        chown $OWNER $1
-        chmod -R +rw $1
+        OWNER=$1
         shift
-      done
-      ;;
-
-   -c) # make world writeable
-      shift
-      while next_section $*
-      do
-        chmod -R go+rw $1
+        while next_section $*; do
+          chown $OWNER $1
+          chmod -R +rw $1
+          shift
+        done
+        ;;
+
+      -c) # make world writeable
         shift
-      done
-      ;;
-
-    *) # error, show usage 
-    
-      usage
-      exit 1
-      ;;
+        while next_section $*; do
+          chmod -R go+rw $1
+          shift
+        done
+        ;;
+
+      *) # error, show usage
+
+        usage
+        exit 1
+        ;;
     esac
-  done  | uniq | sed 's+^/++'
+  done | uniq | sed 's+^/++'
 }
 
-
 create_dir $(extract $*)

From 3e5e3c273cb92bce81e33a96d7945d5f702c7ece Mon Sep 17 00:00:00 2001
From: Max Harmathy <harmathy@mailbox.org>
Date: Mon, 17 Oct 2022 15:25:44 +0200
Subject: [PATCH 4/5] Fix word splitting issues

This changes eliminates several issues with paths containing spaces.
First of all variables are now properly quoted. Then iteration over find
output takes an intermediate step with a temporary file to avoid word
splitting in a path.

The call to head -c 1 is replaced by printf, which is probably a shell
built-in and thus might save an external process call.

The outer iteration over the result of extract has moved from the
create_dir function to a main function.
---
 harden | 62 +++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 37 insertions(+), 25 deletions(-)

diff --git a/harden b/harden
index 287b451..2a71a8f 100755
--- a/harden
+++ b/harden
@@ -28,13 +28,15 @@ create_dir() {
   HARDEN=/tmp/harden
   mkdir -p $HARDEN
 
-  for i in $*; do
-    DIR=$HARDEN/$(dirname $i)
+  DIR=$HARDEN/$(dirname "$1")
 
-    mkdir -p "$DIR"
-    [ -d $HARDEN/"$i" ] || cp -a "$i" $HARDEN/$i
+  mkdir -p "$DIR"
+  [ -d "$HARDEN/$1" ] || cp -a "$1" "$HARDEN/$1"
 
-  done
+}
+
+first_char() {
+  printf %.1s "$1"
 }
 
 next_section() {
@@ -49,17 +51,19 @@ ldd_filter() {
 }
 
 link_filter() {
-  for f in $(find "$1"); do
-    echo $f
-    if [ -L $f ]; then
-      LINK=$(readlink $f)
-      if [ $(echo $LINK | head -c 1) = '/' ]; then
-        echo $LINK
+  find "$1" ! -name "$(printf "*\n*")" >link_filter.tmp
+  while IFS= read -r f; do
+    echo "$f"
+    if [ -L "$f" ]; then
+      LINK=$(readlink "$f")
+      if [ "$(first_char "$LINK")" = '/' ]; then
+        echo "$LINK"
       else
-        echo $(dirname $f)/$(readlink $f)
+        echo "$(dirname "$f")/$LINK"
       fi
     fi
-  done
+  done <link_filter.tmp
+  rm link_filter.tmp
 }
 
 extract() {
@@ -75,9 +79,9 @@ extract() {
       -d) # dynamically linked executables
 
         shift
-        while next_section $*; do
+        while next_section "$@"; do
           for f in $(ldd "$1" | ldd_filter) $1; do
-            link_filter $f
+            link_filter "$f"
           done
           shift
         done
@@ -86,16 +90,16 @@ extract() {
       -f) # files and links
 
         shift
-        while next_section $*; do
-          link_filter $1
+        while next_section "$@"; do
+          link_filter "$1"
           shift
         done
         ;;
 
       -r) # files to remove
         shift
-        while next_section $*; do
-          rm $1
+        while next_section "$@"; do
+          rm "$1"
           shift
         done
         ;;
@@ -104,17 +108,17 @@ extract() {
         shift
         OWNER=$1
         shift
-        while next_section $*; do
-          chown $OWNER $1
-          chmod -R +rw $1
+        while next_section "$@"; do
+          chown "$OWNER" "$1"
+          chmod -R +rw "$1"
           shift
         done
         ;;
 
       -c) # make world writeable
         shift
-        while next_section $*; do
-          chmod -R go+rw $1
+        while next_section "$@"; do
+          chmod -R go+rw "$1"
           shift
         done
         ;;
@@ -128,4 +132,12 @@ extract() {
   done | uniq | sed 's+^/++'
 }
 
-create_dir $(extract $*)
+main() {
+  extract "$@" >extract.tmp
+  while IFS= read -r f; do
+    create_dir "$f"
+  done <extract.tmp
+  rm extract.tmp
+}
+
+main "$@"

From d20aeb6323794bf2402a595023cedfbeb138511d Mon Sep 17 00:00:00 2001
From: Max Harmathy <harmathy@mailbox.org>
Date: Mon, 17 Oct 2022 15:34:58 +0200
Subject: [PATCH 5/5] Simplyfy next_section function

---
 harden | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/harden b/harden
index 2a71a8f..7192fa1 100755
--- a/harden
+++ b/harden
@@ -40,8 +40,7 @@ first_char() {
 }
 
 next_section() {
-  [ $# -gt 0 ] && [ $(echo $1 | head -c 1) != '-' ] && return 0
-  return 1
+  [ $# -gt 0 ] && [ "$(first_char "$1")" != '-' ]
 }
 
 ldd_filter() {