From ceb063f8f74487a225731ccc24e3dd9a3d295e7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torbj=C3=B6rn=20SVENSSON?= <torbjorn.svensson@foss.st.com>
Date: Tue, 12 Aug 2025 18:52:02 +0200
Subject: [PATCH] Fix command injection from consumer of action
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Contributed by STMicroelectronics

Signed-off-by: Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
---
 .github/workflows/qa-main.yml | 50 +++++++++++++++++++++++++++++++++++
 action.yml                    |  3 +--
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/qa-main.yml b/.github/workflows/qa-main.yml
index 4a78ea9..a5acf0e 100644
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@@ -74,6 +74,56 @@ jobs:
       - name: Assert the scanner was not called
         run: |
           ./test/assertFileDoesntExist ./output.properties
+  argsInputInjectionTest2:
+    name: >
+      'args' input with command injection will fail 2
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.someArg="some value `echo Injection` with space"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
+  argsInputInjectionTest3:
+    name: >
+      'args' input with command injection will fail 3
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.someArg="some value $(echo Injection) with space"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
   projectBaseDirInputTest:
     name: >
       'projectBaseDir' input
diff --git a/action.yml b/action.yml
index 39b39f2..f51da6d 100644
--- a/action.yml
+++ b/action.yml
@@ -53,8 +53,7 @@ runs:
     - name: Run SonarScanner
       run: |
         args=(${{ inputs.args }})
-        cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
-        "${cmd[@]}"
+        "${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh" "${args[@]}"
       shell: bash
       env:
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}