I have a fixlet which allows operators to enter a message that will be displayed through osascript to the user.
In my script, I use the parameters like so:
osascript -e "on run(argv)" -e "return display alert item 1 of argv message item 2 of argv as critical" -e "end" -- "{parameter "warnTitle"}" "{parameter "warnMessage"}" > /dev/null 2>&1 &
The issue is if the operator enters a double quote in the message box, it will break the command. Short of just telling operators “Don’t do that”, is there any way to actually pass a double quote?
The other option would be input validation in the fixlet, and block it from deploying if a double quote is detected, but I’d like to be able to use double quotes if needed.
but just echoing the parameter would break the script too. If I wrap the echo in single quotes, then single quotes would break the script. Does it have to be one or the other?
There are a couple issues here. They orbit around character escaping through the BigFix and shell environments, and then also osascript/AppleScript (and notifications on macOS).
As you’re ultimately passing strings to the shell, the user input content needs to be shell-safe before you pass the parameter.
osascript is AppleScript, which means you might need to grant (via MDM) to BESAgent the PPC rights for com.apple.systemuiserver and com.apple.systemevents. (I don’t offhand recall which, or if it’s necessary.) (Maybe also Terminal?)
You can do [1] in actionscript, or via webtech inside the action parameter form as @orbiton suggests. Action script will require some level of juggling the escaping:
parameter "foo" = "%22bar%22"
parameter "bar" = "{parameter "foo"}"
parameter "foobar" = "{concatenation "\%22" of substrings separated by "%22" of parameter "bar"}"
For [2], bridging the shell to AppleScript is ummm ungreat. Odds are your MDM has a bridge to system notifications which is much better behaved. WorkspaceONE has hubcli, JAMF has jamf, etc. (AppleScript has display notification, but its UX is IMO undesirable.)
@orbiton I was trying to find a way to escape the characters automatically, or prevent the script from breaking if someone does not escape the character when entering their text in the console.
I can put a warning “Do not enter quotes” or “Escape quotes with a backslash”, but invariably someone will enter quotes and ask me why the fixlet is failing.
@atlauren The osascript command doesn’t seem to have any trouble running without any additional PPPC rights. I’m able to see the window pop up, triggered by BigFix, on a Seqouia machine that isn’t enrolled to an MDM. Which, is the specific use-case for this fixlet: devices that aren’t (yet) joined to an MDM (please believe I’ve made my case that macOS cannot be properly managed without an MDM — it’s just not up to me)
I think I might try this:
Create a script that just echoes the input
If it succeeds (exit 0) then set a parameter (e.g. success) for the following script to check, which tells it that it’s safe to put the parameters into osascript
If it fails, fall back to a default message instead
I imagine you’ve already climbed this hill, but perhaps you’re already licensed for BigFix MCM? “We’re already licensed for it” can be a valuable selling point.
(We were already invested in another MDM when MCM came to exist.)
@orbiton Hmm. I would still need to escape the quotes though, right? I trust myself to do it, but we have over 100 operators with (highly) varying skill levels.
@atlauren We have an MDM The joys of working in a federated environment…
Let’s back up a step.
Do you need to escape the doublequotes, or other special characters…or can you just remove them?
If it’s ok to just discard all the special characters, this is a case where a regular expression may be easier to read than most of the other ways to do it.
Given this sample string with double- and single-quotes, we can strip them out by concatenating together only the regular expression matches of a “word” character (a-z, A-Z, and ‘_’) with the ‘\w’ class; or a numeric digit with the ‘\d’ class; or spaces/tabs with the ‘\s’ class.
q: "%22This%22 is a test: 'To Be, or Not To Be'"
A: "This" is a test: 'To Be, or Not To Be'
T: 0.626 ms
I: singular string
q:concatenation of matches(regex("\w|\d|\s")) of "%22This%22 is a test: 'To Be, or Not To Be'"
A: This is a test To Be or Not To Be
T: 0.596 ms
I: singular string
Putting that in an ActionScript would be something like
parameter "SafeWarningTitle"="{concatenation of matches(regex("\w|\d|\s")) of parameter "RawWarningTitle" of action}"
parameter "SafeWarningText"="{concatenation of matches(regex("\w|\d|\s")) of parameter "RawWarningText" of action}"
and then go on to use ‘SafeWarningTitle’ and ‘SafeWarningText’ where you need to.
And, in case i’ts helpful – in this post we’ve talked about special escaping for Relevance strings (percent-encoding), JavaScript (on the input dialog of this fixlet and in the running output), Shell script, and maybe another place I’m forgetting. Just a tip, but where we need to pass a complex string like this through different languages or potentially multiple different languages, I find it’s handy to base64-encode the string until we need to use it. That way we don’t have to worry about all the different ways of escaping it in-between.
