V8.13.294.2025.10.28

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_sanitizer.sh

@@ -13,9 +13,11 @@
 guard_sourcing
 
 #######################################
-# Argument Check Wrapper
+# Arguments check wrapper.
+# Globals:
+#   None
 # Arguments:
-#   $1: "$@" of ./ciss_live_builder.sh
+#   1: "$@" of ./ciss_live_builder.sh
 #######################################
 arg_check() {
   declare a
@@ -25,35 +27,49 @@ arg_check() {
   done
   set -- "${sanitized_args[@]}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f arg_check
 
 #######################################
-# Function to sanitize a single argument
+# Function to sanitize a single argument,
 # Globals:
-#   ERR_INVLD_CHAR
 #   LOG_ERROR
 # Arguments:
-#   $1: Argument to check
+#   1: Argument to check
+# Returns:
+#   0: on success
+#   ERR_INVLD_CHAR: on failure
 #######################################
 sanitize_arg() {
   declare input="${1}"
   declare disallowed_ctrl=""
+
   ### Step 1: Check for control characters
   if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
+
+    # shellcheck disable=SC2312
     disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
-      | while read -r c; do printf "%02X " "'$c"; done)
+      | while read -r c; do printf "%02X " "'${c}"; done)
+
     {
       printf "❌ Control character   : '%s'. \n" "${disallowed_ctrl}"
       printf "❌         in argument : '%s'. \n" "${input}"
       printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
       printf "\n"
     } >> "${LOG_ERROR}"
+
     boot_screen_cleaner
+
     printf "\e[91m❌ Control character   : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
     printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
     printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+
     # shellcheck disable=SC2162
     read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+
     exit "${ERR_INVLD_CHAR}"
+
   fi
 
   ### Step 2: Define allowed characters:
@@ -61,6 +77,7 @@ sanitize_arg() {
   declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
   declare disallowed
   disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
+
   if [[ -n ${disallowed} ]]; then
     {
       printf "❌ Invalid character   : '%s'. \n" "${disallowed//?/& }"
@@ -68,22 +85,36 @@ sanitize_arg() {
       printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
       printf "\n"
     } >> "${LOG_ERROR}"
+
     boot_screen_cleaner
+
     printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
     printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
     printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+
     # shellcheck disable=SC2162
     read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+
     exit "${ERR_INVLD_CHAR}"
+
   else
+
     printf '%s' "${input}"
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_arg
 
 #######################################
-# Function to remove any character not in the allowed set
+# Function to remove any character not in the allowed set.
+# Globals:
+#   None
 # Arguments:
-#   $1: String to Sanitize
+#   1: String to Sanitize
 #######################################
 sanitize_string() {
   declare input="$1"
@@ -92,15 +123,23 @@ sanitize_string() {
   declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
   printf '%s' "${input}" | tr -cd "${allowed}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_string
 
 #######################################
-# Function to escape all shell metacharacters
+# Function to escape all shell metacharacters.
+# Globals:
+#   None
 # Arguments:
-#   $1: String to Sanitize
+#   1: String to Sanitize
 #######################################
 sanitize_shell_literal() {
   declare input="$1"
   ### %q quotes the string so that the shell re-reads it as the original literal
   printf '%q' "${input}"
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f sanitize_shell_literal
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_source_guard.sh

@@ -11,7 +11,9 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 #######################################
-# Prevent the file to be sourced twice.
+# Prevents the file to be sourced twice.
+# Globals:
+#   None
 # Arguments:
 #   1: File to source.
 #######################################
@@ -25,4 +27,7 @@ source_guard() {
     . "${var_file}"
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f source_guard
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_usage.sh

@@ -12,8 +12,12 @@
 
 #######################################
 # Usage Wrapper CISS.debian.live.builder
+# Globals:
+#   None
 # Arguments:
-#   0: Script name
+#   None
+# Returns:
+#   0: on success
 #######################################
 usage() {
   # shellcheck disable=SC2155
@@ -162,5 +166,10 @@ usage() {
     echo
     echo -e "\e[1;97m${var_footer}\e[0m"
   } | less -R
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f usage
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_version.sh

@@ -16,6 +16,8 @@
 #   VAR_VERSION
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 version() {
   # shellcheck disable=SC2155
@@ -50,5 +52,10 @@ $(echo -e "\e[97m###############################################################
   Bash    : ${var_bash_ver}
 
 EOF
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f version
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

scripts/usr/lib/live/build/binary_rootfs.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -23,7 +23,7 @@
 set -e
 
 # Including common functions
-if [[ -e "${LIVE_BUILD}/scripts/build.sh" ]]; then
+if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
   . "${LIVE_BUILD}/scripts/build.sh"
 else
   . /usr/lib/live/build.sh
@@ -74,7 +74,7 @@ esac
 # Creating directory
 mkdir -p "binary/${INITFS}"
 
-if In_list "rootfs" "${LB_CACHE_STAGES}" && [[ -d cache/binary_rootfs ]]
+if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ]
 then
 	# Removing old chroot
 	rm -rf binary/"${INITFS}"/filesystem.*
@@ -100,7 +100,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Install_packages
 
 		# Remove old image
-		if [[ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]]
+		if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}"
 		fi
@@ -135,7 +135,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 					FAKE_MTAB=true
 				fi
 				BLOCK_SIZE=1024
-				if [[ "${LB_DM_VERITY}" = "true" ]]
+				if [ "${LB_DM_VERITY}" = "true" ]
 				then
 					# Module dm-verity needs a block size of at least 4k
 					BLOCK_SIZE=4096
@@ -162,7 +162,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
 
-				if [[ -e chroot/chroot.cache ]]
+				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
 					mv chroot/chroot chroot.tmp
@@ -208,12 +208,12 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Install_packages
 
 		# Remove old jffs2 image
-		if [[ -f "binary/${INITFS}/filesystem.jffs2" ]]
+		if [ -f "binary/${INITFS}/filesystem.jffs2" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.jffs2"
 		fi
 
-		if [[ -n "${LB_JFFS2_ERASEBLOCK}" ]]
+		if [ -n "${LB_JFFS2_ERASEBLOCK}" ]
 		then
 			JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}"
 		fi
@@ -228,7 +228,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
 
-				if [[ -e chroot/chroot.cache ]]
+				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
 					mv chroot/chroot chroot.tmp
@@ -256,14 +256,14 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		;;
 
 	plain)
-		if [[ -d "binary/${INITFS}/filesystem.dir" ]]
+		if [ -d "binary/${INITFS}/filesystem.dir" ]
 		then
 			rm -rf "binary/${INITFS}/filesystem.dir"
 		fi
 
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
-				if [[ -e chroot/chroot.cache ]]
+				if [ -e chroot/chroot.cache ]
 				then
 					# Different from the other LB_CHROOT_FILESYSTEM values:
 					# continue working in the bootstrap chroot, not the generated chroot.
@@ -298,7 +298,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		Echo_message "This may take a while."
 
 		# Remove old squashfs image
-		if [[ -f "binary/${INITFS}/filesystem.squashfs" ]]
+		if [ -f "binary/${INITFS}/filesystem.squashfs" ]
 		then
 			rm -f "binary/${INITFS}/filesystem.squashfs"
 		fi
@@ -309,17 +309,17 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		# Do not display the progress bar if:
 		# - Run with --quiet, or
 		# - stdin is not a terminal (e.g., in CI, cron, etc.)
-		if [[ "${_QUIET}" = "true" ]] || [[ ! -t 0 ]]
+		if [ "${_QUIET}" = "true" ] || [ ! -t 0 ]
 		then
 			MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}"
 		fi
 
-		if [[ "${_VERBOSE}" = "true" ]]
+		if [ "${_VERBOSE}" = "true" ]
 		then
 			MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}"
 		fi
 
-		if [[ -f config/rootfs/squashfs.sort ]]
+		if [ -f config/rootfs/squashfs.sort ]
 		then
 			MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}"
 
@@ -335,28 +335,28 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		fi
 
 		# Set squashfs compression type or default to xz
-		if [[ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]]
+		if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]
 		then
 			MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}"
 		else
 			MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}"
 		fi
 
-		if [[ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]]
+		if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]
 		then
 			MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}"
 		fi
 
 		case "${LB_BUILD_WITH_CHROOT}" in
 			true)
-				if [[ -e config/rootfs/excludes ]]
+				if [ -e config/rootfs/excludes ]
 				then
 
           printf "\e[95m[INFO] Found: [config/rootfs/excludes] \n\e[0m"
 
 					cp -a config/rootfs/excludes chroot/excludes
 
-          if [[ -e chroot/excludes ]]
+          if [ -e chroot/excludes ]
           then
 
             printf "\e[95m[INFO] Found: [chroot/excludes] \n\e[0m"
@@ -384,7 +384,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				# Removing depends
 				Remove_packages
 
-				if [[ -e chroot/chroot.cache ]]
+				if [ -e chroot/chroot.cache ]
 				then
 					Remove_lockfile
 					mv chroot/chroot chroot.tmp
@@ -403,7 +403,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 				;;
 
 			false)
-				if [[ -e config/rootfs/excludes ]]
+				if [ -e config/rootfs/excludes ]
 				then
 					MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}"
 				fi
@@ -419,7 +419,7 @@ case "${LB_CHROOT_FILESYSTEM}" in
 		;;
 
 	none)
-		if [[ -d binary ]]
+		if [ -d binary ]
 		then
 			rm -rf binary
 		fi
@@ -444,7 +444,7 @@ then
 
 	mkdir -p cache/binary_rootfs
 
-	if [[ "${LB_CHROOT_FILESYSTEM}" != "none" ]]
+	if [ "${LB_CHROOT_FILESYSTEM}" != "none" ]
 	then
 		cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs
 	fi