GDB-11623

Parse and modify /etc/graphdb/graphdb.env file inline to prevent potential code
execution (and in some cases, privilege escalation).

Author: Ivan Konstantinov

.gitignore

@@ -1,5 +1,5 @@
 # IDEs
-
+*.iml
 .idea/
 
 # Local .terraform directories

modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl

@@ -85,10 +85,11 @@ fi
 # Appends environment overrides to GDB_JAVA_OPTS
 if [[ $SSM_PARAMETERS == *"/${name}/graphdb/graphdb_java_options"* ]]; then
   extra_graphdb_java_options="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/graphdb_java_options" --with-decryption | jq -r .Parameter.Value)"
-  (
-    source /etc/graphdb/graphdb.env
-    echo "GDB_JAVA_OPTS=\"$GDB_JAVA_OPTS $extra_graphdb_java_options\"" >> /etc/graphdb/graphdb.env
-  )
+  if grep GDB_JAVA_OPTS &>/dev/null /etc/graphdb/graphdb.env; then
+     sed -ie 's/GDB_JAVA_OPTS="\(.*\)"/GDB_JAVA_OPTS="$extra_graphdb_java_options \1"/g' /etc/graphdb/graphdb.env
+  else
+     echo "GDB_JAVA_OPTS=$extra_garphdb_java_options" > /etc/graphdb/graphdb.env
+  fi
 fi
 
 log_with_timestamp "Completed applying overrides"