[BUG] rpm: shell scripts should have macros escaped

[cpuguy83]

Expected Behavior

No response

Actual Behavior

Currently it may be possible to inject custom macros or access things that we aren't expecting and potentially break the build (even accidentally) based on if some value matches an rpmbuild macro.

Steps To Reproduce

As an example: in a build step inject a macro like:

%install
# insert extra stuff not in the yaml artifact spec

Are you willing to submit PRs to contribute to this bug fix?

• Yes, I am willing to implement it.

[adamperlin]

We should definitely try and escape macros, though I do worry about the difficulty of handling all edge cases here. As an additional part of this issue, I would propose more validation on build steps using a shell parser such as https:/mvdan/sh, at least for RPM targets

[cpuguy83]

Was thinking about this yesterday.
We could probably just drop all the build scripts into a separate script file, include it as a Source in the rpm spec and execute that.

[cpuguy83]

There's still potentially some other problems that would be easier to address in things like artifact lists.