SQSCANGHA-89 Fix possible command injection

It is unlikely to be a real concern, since an attacker having the possibility to edit a pipeline can easily execute any command, but at least our step won't be involved

.github/workflows/qa-main.yml

@@ -38,13 +38,39 @@ jobs:
       - name: Run action with args
         uses: ./
         with:
-          args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
+          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
         env:
           SONAR_HOST_URL: http://not_actually_used
           SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
       - name: Assert
         run: |
           ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
+          ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
+  argsInputInjectionTest:
+    name: >
+      'args' input with command injection will fail
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.someArg=aValue && echo "Injection"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
   projectBaseDirInputTest:
     name: >
       'projectBaseDir' input

action.yml

@@ -50,7 +50,10 @@ runs:
       run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
       shell: bash
     - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
+      run: |
+        args=(${{ inputs.args }})
+        cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
+        "${cmd[@]}"
       shell: bash
       env:
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}

test/assertFileContains

@@ -1,10 +1,14 @@
 #!/bin/bash
 
+set -eou pipefail
+
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
 
-assertFileExists $1
+scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
 
-if ! grep -q $2 $1; then
+$scriptDir/assertFileExists "$1"
+
+if ! grep -q "$2" "$1"; then
   error "'$2' not found in '$1'"
   exit 1
 fi

test/assertFileDoesntExist

@@ -1,8 +1,10 @@
 #!/bin/bash
 
+set -eou pipefail
+
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
 
-if [ -f $1 ]; then
+if [ -f "$1" ]; then
   error "File '$1' found"
   exit 1
 fi

test/assertFileExists

@@ -1,8 +1,10 @@
 #!/bin/bash
 
+set -eou pipefail
+
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
 
-if [ ! -f $1 ]; then
+if [ ! -f "$1" ]; then
   error "File '$1' not found"
   exit 1
 fi