fix: harden sdkman and ruby mirror config writes

Agent-Logs-Url: https://github.com/bbartels/features/sessions/47fca3d3-4eb7-487d-9af5-e4b462552066

Co-authored-by: bbartels <[email protected]>

Author: Copilot

src/java/install.sh

@@ -326,12 +326,15 @@ if [ ! -d "${SDKMAN_DIR}" ]; then
     fi
     curl -sSL "https://get.sdkman.io?rcupdate=false" | bash
     if [ -n "${SDKMAN_SERVICE_MIRROR:-}" ] && [ -f "${SDKMAN_DIR}/etc/config" ]; then
-        sdkman_service_mirror_escaped="$(printf '%s\n' "${SDKMAN_SERVICE_MIRROR}" | sed 's/[&|\\]/\\&/g')"
-        if grep -q "^sdkman_api=" "${SDKMAN_DIR}/etc/config"; then
-            sed -i "s|^sdkman_api=.*|sdkman_api=${sdkman_service_mirror_escaped}|" "${SDKMAN_DIR}/etc/config"
-        else
-            echo "sdkman_api=${SDKMAN_SERVICE_MIRROR}" >> "${SDKMAN_DIR}/etc/config"
-        fi
+        sdkman_config_tmp="$(mktemp)"
+        awk -v api="${SDKMAN_SERVICE_MIRROR}" '
+            BEGIN { updated=0 }
+            /^sdkman_api=/ { print "sdkman_api=" api; updated=1; next }
+            { print }
+            END { if (updated == 0) print "sdkman_api=" api }
+        ' "${SDKMAN_DIR}/etc/config" > "${sdkman_config_tmp}"
+        cat "${sdkman_config_tmp}" > "${SDKMAN_DIR}/etc/config"
+        rm -f "${sdkman_config_tmp}"
     fi
     # For RHEL 8 systems, also disable native CLI in config file and remove native binaries
     if [ "${ADJUSTED_ID}" = "rhel" ] && [ "${MAJOR_VERSION_ID}" = "8" ]; then

src/ruby/install.sh

@@ -328,6 +328,15 @@ set_rvm_install_args() {
     fi
 }
 
+validate_mirror_url() {
+    local mirror_name="$1"
+    local mirror_url="$2"
+    if [ -n "${mirror_url}" ] && [[ ! "${mirror_url}" =~ ^https?:// ]]; then
+        echo "(!) ${mirror_name} must start with http:// or https://"
+        exit 1
+    fi
+}
+
 run_rvm_installer() {
     local install_args="$1"
     if [ -n "${RVM_INSTALL_MIRROR:-}" ]; then
@@ -376,6 +385,8 @@ else
         echo "(!) Mirror values must not contain newlines."
         exit 1
     fi
+    validate_mirror_url "RUBY_SOURCE_MIRROR" "${RUBY_SOURCE_MIRROR:-}"
+    validate_mirror_url "RUBY_BINARIES_MIRROR" "${RUBY_BINARIES_MIRROR:-}"
     if [ -n "${RUBY_SOURCE_MIRROR:-}" ] && ! grep -Fqx "rvm_rubies_url=${RUBY_SOURCE_MIRROR}" /etc/rvmrc 2>/dev/null; then
         echo "rvm_rubies_url=${RUBY_SOURCE_MIRROR}" >> /etc/rvmrc
     fi