diff --git a/.github/workflows/qa-main.yml b/.github/workflows/qa-main.yml index f49e853..410d4a7 100644 --- a/.github/workflows/qa-main.yml +++ b/.github/workflows/qa-main.yml @@ -38,13 +38,39 @@ jobs: - name: Run action with args uses: ./ with: - args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties + args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" env: SONAR_HOST_URL: http://not_actually_used SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' - name: Assert run: | ./test/assertFileContains ./output.properties "sonar.someArg=aValue" + ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value" + argsInputInjectionTest: + name: > + 'args' input with command injection will fail + strategy: + matrix: + os: [ ubuntu-latest, windows-latest, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: -Dsonar.someArg=aValue && echo "Injection" + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Fail if action succeeded + if: steps.runTest.outcome == 'success' + run: exit 1 + - name: Assert the scanner was not called + run: | + ./test/assertFileDoesntExist ./output.properties projectBaseDirInputTest: name: > 'projectBaseDir' input diff --git a/action.yml b/action.yml index 847cec8..fe4ac90 100644 --- a/action.yml +++ b/action.yml @@ -50,7 +50,10 @@ runs: run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH shell: bash - name: Run SonarScanner - run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }} + run: | + args=(${{ inputs.args }}) + cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}") + "${cmd[@]}" shell: bash env: INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} diff --git a/test/assertFileContains b/test/assertFileContains index 69380e1..3db91b2 100755 --- a/test/assertFileContains +++ b/test/assertFileContains @@ -1,10 +1,14 @@ #!/bin/bash +set -eou pipefail + error() { echo -e "\\e[31m✗ $*\\e[0m"; } -assertFileExists $1 +scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")") + +$scriptDir/assertFileExists "$1" -if ! grep -q $2 $1; then +if ! grep -q "$2" "$1"; then error "'$2' not found in '$1'" exit 1 fi \ No newline at end of file diff --git a/test/assertFileDoesntExist b/test/assertFileDoesntExist index 032a07c..b7f2982 100755 --- a/test/assertFileDoesntExist +++ b/test/assertFileDoesntExist @@ -1,8 +1,10 @@ #!/bin/bash +set -eou pipefail + error() { echo -e "\\e[31m✗ $*\\e[0m"; } -if [ -f $1 ]; then +if [ -f "$1" ]; then error "File '$1' found" exit 1 fi \ No newline at end of file diff --git a/test/assertFileExists b/test/assertFileExists index 8f04686..f35d9f5 100755 --- a/test/assertFileExists +++ b/test/assertFileExists @@ -1,8 +1,10 @@ #!/bin/bash +set -eou pipefail + error() { echo -e "\\e[31m✗ $*\\e[0m"; } -if [ ! -f $1 ]; then +if [ ! -f "$1" ]; then error "File '$1' not found" exit 1 fi \ No newline at end of file