From 5fc8cfce6b9d02c7848cd3f1e6888c2533c019de Mon Sep 17 00:00:00 2001 From: Aleksandra Bozhinoska Date: Fri, 22 Aug 2025 17:37:43 +0200 Subject: [PATCH 1/3] SQSCANGHA-101 Fix sha256 check in QA Deprecated C/C++ action --- scripts/download.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/download.sh b/scripts/download.sh index 2be77d5..5303d52 100755 --- a/scripts/download.sh +++ b/scripts/download.sh @@ -28,7 +28,7 @@ parse_arguments() { } verify_download_correctness() { - echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c + echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c - check_status "Checking sha256 failed" } From 016cabf33a6b7edf0733e179a03ad408ad4e88ba Mon Sep 17 00:00:00 2001 From: Aleksandra Bozhinoska Date: Thu, 28 Aug 2025 10:49:39 +0200 Subject: [PATCH 2/3] SQSCANGHA-101 Add more command injection tests --- .github/workflows/qa-main.yml | 103 ++++++++++++++++++++++++++++--- action.yml | 6 +- scripts/run-sonar-scanner-cli.sh | 12 +++- scripts/run-sonar-scanner.sh | 6 ++ 4 files changed, 114 insertions(+), 13 deletions(-) create mode 100755 scripts/run-sonar-scanner.sh diff --git a/.github/workflows/qa-main.yml b/.github/workflows/qa-main.yml index 3d7098b..1117256 100644 --- a/.github/workflows/qa-main.yml +++ b/.github/workflows/qa-main.yml @@ -41,17 +41,44 @@ jobs: - name: Run action with args uses: ./ with: - args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" + args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value' env: SONAR_HOST_URL: http://not_actually_used SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' - name: Assert run: | ./test/assertFileContains ./output.properties "sonar.someArg=aValue" - ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value" + ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"' + ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'" argsInputInjectionTest: name: > 'args' input with command injection will fail + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: ${{ matrix.args }} + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Fail if action succeeded + if: steps.runTest.outcome == 'success' + run: exit 1 + - name: Assert the scanner was not called + run: | + ./test/assertFileDoesntExist ./output.properties + backtickCommandInjectionTest: + name: > + 'args' input with backticks injection does not execute command strategy: matrix: os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] @@ -64,16 +91,76 @@ jobs: uses: ./ continue-on-error: true with: - args: -Dsonar.someArg=aValue && echo "Injection" + args: > + -Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5=" `whoami` " -Dsonar.arg6="test\`echo injection\`test" env: SONAR_HOST_URL: http://not_actually_used SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' - - name: Fail if action succeeded - if: steps.runTest.outcome == 'success' - run: exit 1 - - name: Assert the scanner was not called + - name: Assert command in arg is not executed run: | - ./test/assertFileDoesntExist ./output.properties + ./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"' + ./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"' + ./test/assertFileContains ./output.properties 'sonar.arg3="`id`"' + ./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\"" + ./test/assertFileContains ./output.properties 'sonar.arg5=" `whoami` "' + ./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"' + dollarSymbolCommandInjectionTest: + name: > + 'args' input with dollar command injection does not execute command + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "' + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Assert command in arg is not executed + run: | + ./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"' + ./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"' + ./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"' + ./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"' + ./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"' + ./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\''' + otherCommandInjectionVariantsTest: + name: > + 'args' input with other command injection variants does not execute command + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060" + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Assert command in arg is not executed + run: | + ./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"' + ./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"' + ./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"' + ./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"' + ./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"' + ./test/assertFileContains ./output.properties 'sonar.arg6=""' + ./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"' + ./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"' + ./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"' projectBaseDirInputTest: name: > 'projectBaseDir' input diff --git a/action.yml b/action.yml index 39b39f2..8bc664e 100644 --- a/action.yml +++ b/action.yml @@ -51,11 +51,9 @@ runs: run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH shell: bash - name: Run SonarScanner - run: | - args=(${{ inputs.args }}) - cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}") - "${cmd[@]}" + run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh shell: bash env: + INPUT_ARGS: ${{ inputs.args }} INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre diff --git a/scripts/run-sonar-scanner-cli.sh b/scripts/run-sonar-scanner-cli.sh index a92b7eb..d8615e8 100755 --- a/scripts/run-sonar-scanner-cli.sh +++ b/scripts/run-sonar-scanner-cli.sh @@ -73,7 +73,17 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD") fi -scanner_args+=("$@") +# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command) +args=() +if [[ -n "${INPUT_ARGS}" ]]; then +# the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well +# more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value' + IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\''')) +fi + +for arg in "${args[@]}"; do + scanner_args+=("$arg") +done set -ux diff --git a/scripts/run-sonar-scanner.sh b/scripts/run-sonar-scanner.sh new file mode 100755 index 0000000..87d0c6a --- /dev/null +++ b/scripts/run-sonar-scanner.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -euo pipefail + +# run the sonar scanner cli +cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}") +"${cmd[@]}" From 1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 Mon Sep 17 00:00:00 2001 From: Daan Timmer <8293597+daantimmer@users.noreply.github.com> Date: Thu, 28 Aug 2025 12:18:32 +0200 Subject: [PATCH 3/3] SQSCANGHA-102 Pin actions/cache to a full-length commit SHA (#199) --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 8bc664e..1784c4c 100644 --- a/action.yml +++ b/action.yml @@ -33,7 +33,7 @@ runs: INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }} - name: Load Sonar Scanner CLI from cache id: sonar-scanner-cli - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4 env: # The default value is 60mins. Reaching timeout is treated the same as a cache miss. SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1