SQSCANGHA-101 Add more command injection tests

2025-08-28 10:49:39 +02:00
parent 5fc8cfce6b
commit 016cabf33a
4 changed files with 114 additions and 13 deletions
--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@@ -73,7 +73,17 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
 fi

-scanner_args+=("$@")
+# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
+args=()
+if [[ -n "${INPUT_ARGS}" ]]; then
+#  the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
+#  more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
+  IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
+fi
+
+for arg in "${args[@]}"; do
+  scanner_args+=("$arg")
+done

 set -ux