Fix command injection from consumer of action

Contributed by STMicroelectronics Signed-off-by: Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
2025-12-12 17:31:15 +00:00 · 2025-08-12 18:52:02 +02:00 · 2025-08-12 18:52:02 +02:00 · ceb063f8f7
commit ceb063f8f7
parent 01850e2590
2 changed files with 51 additions and 2 deletions
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@ -74,6 +74,56 @@ jobs:
      - name: Assert the scanner was not called
        run: |
          ./test/assertFileDoesntExist ./output.properties
+  argsInputInjectionTest2:
+    name: >
+      'args' input with command injection will fail 2
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.someArg="some value `echo Injection` with space"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
+  argsInputInjectionTest3:
+    name: >
+      'args' input with command injection will fail 3
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.someArg="some value $(echo Injection) with space"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
  projectBaseDirInputTest:
    name: >
      'projectBaseDir' input
--- a/action.yml
+++ b/action.yml
@ -53,8 +53,7 @@ runs:
    - name: Run SonarScanner
      run: |
        args=(${{ inputs.args }})
-        cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
-        "${cmd[@]}"
+        "${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh" "${args[@]}"
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}