Error with JSON and Shell Script

0
votes

I have tried to make a slack notification with a shell script.

The JSON parameters are formed by variables what they are obtained by MySql querys.

#!/bin/sh
#MySQL RO Access
host='mysqlserver.com'
userdb='slackro'
password='password'
db='db'
#Slack information
hook='https://hook.slack'
user='slackusr'
channel='o_channel'
emoji='slackusr'

#Query
id=`mysql -D $db -u $userdb -p$password -e 'SELECT id FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d'`
tn=`mysql -D $db -u $userdb -p$password -e 'SELECT tn FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d'`
title=`mysql -D $db -u $userdb -p$password -e 'SELECT title FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d' | sed "s/'/ /g" | sed "s/°//g" | sed "s/ /_/g" `
customer=`mysql -D $db -u $userdb -p$password -e 'SELECT customer_id FROM ticket WHERE tn ='$1'' -h $host | sed -e '1d'`
msj=`mysql -D $db -u $userdb -p$password -e 'SELECT a_body FROM article WHERE ticket_id ='$id' ORDER BY id DESC LIMIT 1' -h $host | sed -e '1d'`
url='http://iiabox.infra.ultra.sur.top/otrs/index.pl?Action=AgentTicketZoom;TicketID'$1

#Message
curl -X POST -H 'Content-type: application/json' --data '{"username": "slackusr","icon_emoji": ":slackusr:","attachments": [{"fallback": "New Ticket","pretext": "New ticket from '$customer'","title": "'$title'","title_link": "'$url'","text": "'$msj'","color": "#006495"}]}' $hook

When I execute this script I obtain something like that

curl -X POST -H 'Content-type: application/json' --data '{"username": "OTRS","icon_emoji": ":slackusr:","attachments": [{"fallback": "New Ticket","pretext": "New ticket from [email protected]","title": "Prueba' de Notificación '6","title_link": "http://site/otrs/index.pl?Action=AgentTicketZoom;TicketID2016110472000067","text": "Cerrado","color": "#006495"}]}' https://hooks.slack.com/ curl: (6) Could not resolve host: de curl: (6) Could not resolve host: xn--notificacin-zeb curl: (3) [globbing] unmatched close brace/bracket in column 152

I don't understand why the result of the variable $title shows that "Prueba' de Notificación '6"

If I print $title variable with echo I obtain: "Prueba de Notificación 6" without simple quotes before the first space and after the last space.

What can I do?

1
jsonshellcurlshslack
There are serious, security-impacting bugs in this code. What do you think happens if someone gives a ticket number of 1' OR '1' == '1, or a ticket number of '; DROP TABLE ticket; --? - Charles Duffy
As for safely forming JSON, rather than string concatenation (which makes you responsible for correct quoting), use a tool such as jq that understands the syntax. - Charles Duffy
...and for other bugs on the shell side, see shellcheck.net - Charles Duffy

1 Answers

1
votes

First: This code is, as a whole, broken beyond repair. Do not use it in production. Rewrite it in a language you're actually good in (and that has SQL libraries that support bind variables so you can fix your security bugs, and JSON libraries that will ensure that content is always correctly quoted), not shell.

That said, as for your immediate problem --

Whenever you do this in a single-quoted context:

"title": "'$title'",

...you're expanding $customer unquoted, meaning that spaces inside the expanded value are used for word-splitting and glob-expansion by the shell.

Instead, make it:

"title": "'"$title"'"

...opening a double-quoted context after terminating the single-quoted context.