actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-12 17:31:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SQSCANGHA-89 Fix possible command injection

Browse source 
It is unlikely to be a real concern, since an attacker having the possibility to edit a pipeline can easily execute any command, but at least our step won't be involved
This commit is contained in:
Julien HENRY 2025-04-28 12:17:31 +02:00
parent 12d7d00f02
commit be0a85295f
5 changed files with 43 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
.github/workflows/qa-main.yml vendored
View file

@ -38,13 +38,39 @@ jobs:
- name: Run action with args - name: Run action with args
uses: ./ uses: ./
with: with:
args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
env: env:
SONAR_HOST_URL: http://not_actually_used SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert - name: Assert
run: | run: |
./test/assertFileContains ./output.properties "sonar.someArg=aValue" ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
argsInputInjectionTest:
name: >
'args' input with command injection will fail
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.someArg=aValue && echo "Injection"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
projectBaseDirInputTest: projectBaseDirInputTest:
name: > name: >
'projectBaseDir' input 'projectBaseDir' input

5
action.yml
View file

@ -50,7 +50,10 @@ runs:
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
shell: bash shell: bash
- name: Run SonarScanner - name: Run SonarScanner
run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }} run: |
args=(${{ inputs.args }})
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
"${cmd[@]}"
shell: bash shell: bash
env: env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}

8
test/assertFileContains
View file

@ -1,10 +1,14 @@
#!/bin/bash #!/bin/bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; } error() { echo -e "\\e[31m✗ $*\\e[0m"; }
assertFileExists $1 scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
if ! grep -q $2 $1; then $scriptDir/assertFileExists "$1"
if ! grep -q "$2" "$1"; then
error "'$2' not found in '$1'" error "'$2' not found in '$1'"
exit 1 exit 1
fi fi

4
test/assertFileDoesntExist
View file

@ -1,8 +1,10 @@
#!/bin/bash #!/bin/bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; } error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ -f $1 ]; then if [ -f "$1" ]; then
error "File '$1' found" error "File '$1' found"
exit 1 exit 1
fi fi

4
test/assertFileExists
View file

@ -1,8 +1,10 @@
#!/bin/bash #!/bin/bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; } error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ ! -f $1 ]; then if [ ! -f "$1" ]; then
error "File '$1' not found" error "File '$1' not found"
exit 1 exit 1
fi fi