actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-13 18:01:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix command injection from consumer of action

Browse source 
Contributed by STMicroelectronics

Signed-off-by: Torbjörn SVENSSON <torbjorn.svensson@foss.st.com>
This commit is contained in:
Torbjörn SVENSSON 2025-08-12 18:52:02 +02:00
parent 01850e2590
commit ceb063f8f7
2 changed files with 51 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
.github/workflows/qa-main.yml vendored
View file

@ -74,6 +74,56 @@ jobs:
- name: Assert the scanner was not called - name: Assert the scanner was not called
run: | run: |
./test/assertFileDoesntExist ./output.properties ./test/assertFileDoesntExist ./output.properties
argsInputInjectionTest2:
name: >
'args' input with command injection will fail 2
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.someArg="some value `echo Injection` with space"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
argsInputInjectionTest3:
name: >
'args' input with command injection will fail 3
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.someArg="some value $(echo Injection) with space"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
projectBaseDirInputTest: projectBaseDirInputTest:
name: > name: >
'projectBaseDir' input 'projectBaseDir' input

3
action.yml
View file

@ -53,8 +53,7 @@ runs:
- name: Run SonarScanner - name: Run SonarScanner
run: | run: |
args=(${{ inputs.args }}) args=(${{ inputs.args }})
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}") "${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh" "${args[@]}"
"${cmd[@]}"
shell: bash shell: bash
env: env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}