From 43590c09a4e0e196beae0c3332a3183e06caee95 Mon Sep 17 00:00:00 2001
From: Eran Markus <eran132@gmail.com>
Date: Sat, 6 Jun 2026 14:49:30 +0300
Subject: [PATCH 1/2] test: use a unique temp dir in test_variable_in_filter

The test wrote its fixture to the fixed path /tmp/key_file and the OVAL
definition hardcoded /tmp as the file_object/file_state path. A
predictable, world-accessible path in a shared directory races with
other users or parallel test runs and lets an unrelated /tmp/key_file
influence the result.

Follow the pattern already used by test_pcre_nonutf_characters: put a
TEMP_DIR_PLACEHOLDER in the OVAL definition, copy it to a temporary
file, sed-substitute a per-run `mktemp -d` directory, and create the
key_file fixture there. The filename pattern and evaluation logic are
unchanged. Clean up the temporary directory at the end.

Fixes #1924

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 tests/API/OVAL/unittests/test_variable_in_filter.sh  | 11 ++++++++---
 tests/API/OVAL/unittests/test_variable_in_filter.xml |  4 ++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/tests/API/OVAL/unittests/test_variable_in_filter.sh b/tests/API/OVAL/unittests/test_variable_in_filter.sh
index e725b32c4c..d0567bd3d5 100755
--- a/tests/API/OVAL/unittests/test_variable_in_filter.sh
+++ b/tests/API/OVAL/unittests/test_variable_in_filter.sh
@@ -4,14 +4,19 @@
 set -e
 set -o pipefail
 
+oval_def=`mktemp`
 result=`mktemp`
 stdout=`mktemp`
 stderr=`mktemp`
-echo "secret_key" > /tmp/key_file
+temp_dir=`mktemp -d`
+cp "$srcdir/test_variable_in_filter.xml" "$oval_def"
+sed -i "s;TEMP_DIR_PLACEHOLDER;$temp_dir;" "$oval_def"
+echo "secret_key" > "$temp_dir/key_file"
 
-$OSCAP oval eval --results "$result" "$srcdir/test_variable_in_filter.xml" > "$stdout" 2> "$stderr"
+$OSCAP oval eval --results "$result" "$oval_def" > "$stdout" 2> "$stderr"
 grep "Failed to convert OVAL state to SEXP" "$stderr" && exit 1
 assert_exists 1 '//oval_results/results/system/definitions/definition[@result="true"]'
 assert_exists 0 '//oval_results/results/system/definitions/definition[@result!="true"]'
 
-rm -f "$result" "$stdout" "$stderr" /tmp/key_file
+rm -f "$oval_def" "$result" "$stdout" "$stderr"
+rm -rf "$temp_dir"
diff --git a/tests/API/OVAL/unittests/test_variable_in_filter.xml b/tests/API/OVAL/unittests/test_variable_in_filter.xml
index 18101eb5f9..d136276212 100644
--- a/tests/API/OVAL/unittests/test_variable_in_filter.xml
+++ b/tests/API/OVAL/unittests/test_variable_in_filter.xml
@@ -24,7 +24,7 @@
   </oval:tests>
   <oval:objects>
     <ns3:file_object comment="object with a filter" id="oval:x:obj:1" version="1">
-      <ns3:path>/tmp</ns3:path>
+      <ns3:path>TEMP_DIR_PLACEHOLDER</ns3:path>
       <ns3:filename operation="pattern match">^key_file$</ns3:filename>
       <oval:filter action="exclude">oval:x:ste:1</oval:filter>
     </ns3:file_object>
@@ -36,7 +36,7 @@
   </oval:objects>
   <oval:states>
     <ns3:file_state comment="state used in filter, references a variable" id="oval:x:ste:1" version="1">
-      <ns3:path>/tmp</ns3:path>
+      <ns3:path>TEMP_DIR_PLACEHOLDER</ns3:path>
       <ns3:filename operation="pattern match">^key_file$</ns3:filename>
       <ns3:group_id datatype="int" var_ref="oval:x:var:1"/>
       <ns3:user_id datatype="int">0</ns3:user_id>

From 47338aaabdc2c84ee63583f500a4f87ce2c78a37 Mon Sep 17 00:00:00 2001
From: Eran Markus <eran132@gmail.com>
Date: Sat, 6 Jun 2026 16:37:41 +0300
Subject: [PATCH 2/2] test: clean up via trap and use $(...) in
 test_variable_in_filter

Address review feedback:
- Register a cleanup() handler with `trap ... EXIT` so the temporary
  files and directory are removed even when an assertion fails under
  `set -e`, instead of relying on a final rm that is skipped on failure.
- Switch the backtick command substitutions to $(...) for readability,
  matching the sibling test_pcre_nonutf_characters test.
---
 .../OVAL/unittests/test_variable_in_filter.sh | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/tests/API/OVAL/unittests/test_variable_in_filter.sh b/tests/API/OVAL/unittests/test_variable_in_filter.sh
index d0567bd3d5..23f8862331 100755
--- a/tests/API/OVAL/unittests/test_variable_in_filter.sh
+++ b/tests/API/OVAL/unittests/test_variable_in_filter.sh
@@ -4,11 +4,18 @@
 set -e
 set -o pipefail
 
-oval_def=`mktemp`
-result=`mktemp`
-stdout=`mktemp`
-stderr=`mktemp`
-temp_dir=`mktemp -d`
+oval_def=$(mktemp)
+result=$(mktemp)
+stdout=$(mktemp)
+stderr=$(mktemp)
+temp_dir=$(mktemp -d)
+
+cleanup() {
+	rm -f "$oval_def" "$result" "$stdout" "$stderr"
+	rm -rf "$temp_dir"
+}
+trap cleanup EXIT
+
 cp "$srcdir/test_variable_in_filter.xml" "$oval_def"
 sed -i "s;TEMP_DIR_PLACEHOLDER;$temp_dir;" "$oval_def"
 echo "secret_key" > "$temp_dir/key_file"
@@ -17,6 +24,3 @@ $OSCAP oval eval --results "$result" "$oval_def" > "$stdout" 2> "$stderr"
 grep "Failed to convert OVAL state to SEXP" "$stderr" && exit 1
 assert_exists 1 '//oval_results/results/system/definitions/definition[@result="true"]'
 assert_exists 0 '//oval_results/results/system/definitions/definition[@result!="true"]'
-
-rm -f "$oval_def" "$result" "$stdout" "$stderr"
-rm -rf "$temp_dir"