actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-12 17:31:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SQSCANGHA-101 Add more command injection tests

Browse source
This commit is contained in:
Aleksandra Bozhinoska 2025-08-28 10:49:39 +02:00
parent 85ee78fad8
commit a9a17d3967
4 changed files with 114 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

103
.github/workflows/qa-main.yml vendored
View file

@ -41,17 +41,44 @@ jobs:
- name: Run action with args - name: Run action with args
uses: ./ uses: ./
with: with:
args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value'
env: env:
SONAR_HOST_URL: http://not_actually_used SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert - name: Assert
run: | run: |
./test/assertFileContains ./output.properties "sonar.someArg=aValue" ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value" ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
argsInputInjectionTest: argsInputInjectionTest:
name: > name: >
'args' input with command injection will fail 'args' input with command injection will fail
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: ${{ matrix.args }}
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
backtickCommandInjectionTest:
name: >
'args' input with backticks injection does not execute command
strategy: strategy:
matrix: matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
@ -64,16 +91,76 @@ jobs:
uses: ./ uses: ./
continue-on-error: true continue-on-error: true
with: with:
args: -Dsonar.someArg=aValue && echo "Injection" args: >
-Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5=" `whoami` " -Dsonar.arg6="test\`echo injection\`test"
env: env:
SONAR_HOST_URL: http://not_actually_used SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded - name: Assert command in arg is not executed
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: | run: |
./test/assertFileDoesntExist ./output.properties ./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"'
./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"'
./test/assertFileContains ./output.properties 'sonar.arg3="`id`"'
./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\""
./test/assertFileContains ./output.properties 'sonar.arg5=" `whoami` "'
./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"'
dollarSymbolCommandInjectionTest:
name: >
'args' input with dollar command injection does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "'
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"'
./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"'
./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"'
./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"'
./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"'
./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\'''
otherCommandInjectionVariantsTest:
name: >
'args' input with other command injection variants does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"'
./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"'
./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"'
./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"'
./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"'
./test/assertFileContains ./output.properties 'sonar.arg6=""'
./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"'
./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"'
./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"'
projectBaseDirInputTest: projectBaseDirInputTest:
name: > name: >
'projectBaseDir' input 'projectBaseDir' input

6
action.yml
View file

@ -51,11 +51,9 @@ runs:
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
shell: bash shell: bash
- name: Run SonarScanner - name: Run SonarScanner
run: | run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
args=(${{ inputs.args }})
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
"${cmd[@]}"
shell: bash shell: bash
env: env:
INPUT_ARGS: ${{ inputs.args }}
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre

12
scripts/run-sonar-scanner-cli.sh
View file

@ -73,7 +73,17 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD") scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
fi fi
scanner_args+=("$@") # split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
args=()
if [[ -n "${INPUT_ARGS}" ]]; then
# the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
# more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
fi
for arg in "${args[@]}"; do
scanner_args+=("$arg")
done
set -ux set -ux

6
scripts/run-sonar-scanner.sh Executable file
View file

@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
# run the sonar scanner cli
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}")
"${cmd[@]}"