From 8348929a381a27fda7ccc78e063286e15939a756 Mon Sep 17 00:00:00 2001
From: Clay Sweetser <Varriount@users.noreply.github.com>
Date: Thu, 31 Aug 2023 15:38:29 -0400
Subject: [PATCH 1/3] Mention shell injection in local provisioner
 documentation

---
 website/docs/language/resources/provisioners/local-exec.mdx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/website/docs/language/resources/provisioners/local-exec.mdx b/website/docs/language/resources/provisioners/local-exec.mdx
index ed19ec9499..635480ba09 100644
--- a/website/docs/language/resources/provisioners/local-exec.mdx
+++ b/website/docs/language/resources/provisioners/local-exec.mdx
@@ -40,7 +40,10 @@ The following arguments are supported:
 * `command` - (Required) This is the command to execute. It can be provided
   as a relative path to the current working directory or as an absolute path.
   It is evaluated in a shell, and can use environment variables or Terraform
-  variables.
+  variables. Note that direct use of Terraform variables within a command
+  should be avoided, as doing so can lead to [shell injection](https://en.wikipedia.org/wiki/Code_injection#Shell_injection)
+  vulnerabilities. Instead, one should pass Terraform variables to a command
+  through the `environment` parameter whenever possible.
 
 * `working_dir` - (Optional) If provided, specifies the working directory where
   `command` will be executed. It can be provided as a relative path to the

From 6aa2853896b642ac8dc741a8f1122308ddbc9400 Mon Sep 17 00:00:00 2001
From: Clay Sweetser <Varriount@users.noreply.github.com>
Date: Fri, 1 Sep 2023 13:16:20 -0400
Subject: [PATCH 2/3] Update local-exec.mdx

---
 .../docs/language/resources/provisioners/local-exec.mdx  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/website/docs/language/resources/provisioners/local-exec.mdx b/website/docs/language/resources/provisioners/local-exec.mdx
index 635480ba09..c2c525c97e 100644
--- a/website/docs/language/resources/provisioners/local-exec.mdx
+++ b/website/docs/language/resources/provisioners/local-exec.mdx
@@ -39,11 +39,12 @@ The following arguments are supported:
 
 * `command` - (Required) This is the command to execute. It can be provided
   as a relative path to the current working directory or as an absolute path.
-  It is evaluated in a shell, and can use environment variables or Terraform
-  variables. Note that direct use of Terraform variables within a command
-  should be avoided, as doing so can lead to [shell injection](https://en.wikipedia.org/wiki/Code_injection#Shell_injection)
+  It is evaluated in a shell, and as such can use environment variables for
+  variable substitution. While Terraform variables may also be used for variable
+  substitution, doing so should be avoided as it can lead to [shell injection](https://en.wikipedia.org/wiki/Code_injection#Shell_injection)
   vulnerabilities. Instead, one should pass Terraform variables to a command
-  through the `environment` parameter whenever possible.
+  through the `environment` parameter and use environment variable substitution
+  instead.
 
 * `working_dir` - (Optional) If provided, specifies the working directory where
   `command` will be executed. It can be provided as a relative path to the

From 439b0ef81a63bb431c5bb34fd2932399aad8de77 Mon Sep 17 00:00:00 2001
From: Clay Sweetser <Varriount@users.noreply.github.com>
Date: Thu, 2 Nov 2023 15:39:26 -0400
Subject: [PATCH 3/3] Implement suggestion

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
---
 .../docs/language/resources/provisioners/local-exec.mdx  | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/website/docs/language/resources/provisioners/local-exec.mdx b/website/docs/language/resources/provisioners/local-exec.mdx
index c2c525c97e..712577ed39 100644
--- a/website/docs/language/resources/provisioners/local-exec.mdx
+++ b/website/docs/language/resources/provisioners/local-exec.mdx
@@ -39,12 +39,11 @@ The following arguments are supported:
 
 * `command` - (Required) This is the command to execute. It can be provided
   as a relative path to the current working directory or as an absolute path.
-  It is evaluated in a shell, and as such can use environment variables for
-  variable substitution. While Terraform variables may also be used for variable
-  substitution, doing so should be avoided as it can lead to [shell injection](https://en.wikipedia.org/wiki/Code_injection#Shell_injection)
-  vulnerabilities. Instead, one should pass Terraform variables to a command
+  The `command` is is evaluated in a shell and can use environment variables for
+  variable substitution. We do not recommend using Terraform variables for variable
+  substitution because doing so can lead to shell injection vulnerabilities. Instead, you should pass Terraform variables to a command
   through the `environment` parameter and use environment variable substitution
-  instead.
+  instead. Refer to the following OWASP article for additional information about injection flaws: [Code Injection](https://owasp.org/www-community/attacks/Code_Injection).
 
 * `working_dir` - (Optional) If provided, specifies the working directory where
   `command` will be executed. It can be provided as a relative path to the