Skip to content

Commit ae5237d

Browse files
aleksandra-bozhinoska-sonarsourcealeksandra-bozhinoska-sonarsource
committed
SQSCANGHA-101 Add another test
1 parent 786af10 commit ae5237d

3 files changed

Lines changed: 34 additions & 6 deletions

File tree

.github/workflows/qa-main.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,28 @@ jobs:
7474
- name: Assert the scanner was not called
7575
run: |
7676
./test/assertFileDoesntExist ./output.properties
77+
argsCommandInjectionTest:
78+
name: >
79+
'args' input with backticks injection does not execute command
80+
strategy:
81+
matrix:
82+
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
83+
runs-on: ${{ matrix.os }}
84+
steps:
85+
- uses: actions/checkout@v5
86+
with:
87+
token: ${{ secrets.GITHUB_TOKEN }}
88+
- name: Run action with args
89+
uses: ./
90+
continue-on-error: true
91+
with:
92+
args: -Dsonar.someArg="test `echo Command Injection`"
93+
env:
94+
SONAR_HOST_URL: http://not_actually_used
95+
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
96+
- name: Assert command in arg is not executed
97+
run: |
98+
./test/assertFileContains ./output.properties "sonar.someArg=test Command Injection"
7799
projectBaseDirInputTest:
78100
name: >
79101
'projectBaseDir' input

action.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,7 @@ runs:
5353
- name: Run SonarScanner
5454
run: |
5555
args=(${{ inputs.args }})
56-
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
57-
"${cmd[@]}"
56+
"${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh" "${args[@]}"
5857
shell: bash
5958
env:
6059
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}

scripts/run-sonar-scanner-cli.sh

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -73,9 +73,16 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
7373
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
7474
fi
7575

76-
scanner_args+=("$@")
77-
76+
for arg in "$@"; do
77+
# Append each argument to the array
78+
# The double quotes around "$arg" are crucial
79+
scanner_args+=("$arg")
80+
done
81+
echo "Args to sonar-scanner: ${scanner_args}"
7882
set -ux
7983

80-
$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}
81-
84+
if [[ ${#scanner_args[@]} -gt 0 ]]; then
85+
$SCANNER_BIN "${scanner_args[@]}"
86+
else
87+
$SCANNER_BIN
88+
fi

0 commit comments

Comments
 (0)