SQSCANGHA-101 Add more input injection tests

[aleksandra-bozhinoska-sonarsource]

SQSCANGHA-101

Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum "Suggest new features".

With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:

• Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
• Make sure any code you changed is covered by tests
• If there is a JIRA ticket available, please make your commits and pull request start with the ticket ID (SONAR-XXXX)

We will try to give you feedback on your contribution as quickly as possible.

Thank You!
The SonarSource Team

[petroianuap]

@aleksandra-bozhinoska-sonarsource @antoine-vinot-sonarsource
This generates error when used in combination with additional quotes:

ie:
INPUT_ARGS: -Dsonar.projectKey=prefix_$(basename "org/repo") -Dsonar.branch.name=branch -Dsonar.scm.provider=git

It generates the following command:

sonar-scanner '-Dsonar.projectKey=prefix_$(basename' '"org/repo"' ')' -Dsonar.branch.name=branch -Dsonar.scm.provider=git

Error:
11:01:03.882 ERROR Unrecognized option: "org/repo"

[kronenthaler]

This changes generates errors on the sonar.source/sonar.tests e.g
INPUT_ARGS: -Dsonar.source="Modules/A,Modules/B"

sonar-scanner '-Dsonar.sources="Modules/A,Modules/B"'

Produces error:
The folder 'Modules/A,Modules/B' does not exist for: <projectkey>

It worked fine in v5.3.0

[aleksandra-bozhinoska-sonarsource]

This changes generates errors on the sonar.source/sonar.tests e.g INPUT_ARGS: -Dsonar.source="Modules/A,Modules/B"

sonar-scanner '-Dsonar.sources="Modules/A,Modules/B"'

Produces error: The folder 'Modules/A,Modules/B' does not exist for: <projectkey>

It worked fine in v5.3.0

Hello @kronenthaler, can you try removing the double quotes and pass the arg like -Dsonar.sources=Modules/A,Modules/B? Also, for better visibility, please consider posting on our community if you encounter any further issues.

[kronenthaler]

Hi @aleksandra-bozhinoska-sonarsource, is there an specific topic in the forum related to this change/issue?

[aleksandra-bozhinoska-sonarsource]

Hi @aleksandra-bozhinoska-sonarsource, is there an specific topic in the forum related to this change/issue?

Not that I am aware of @kronenthaler - feel free to open a new one if my suggestion above did not help.

[kronenthaler]

@aleksandra-bozhinoska-sonarsource Thanks, i have made a report and a sample project. Linked here for cross-reference: https://community.sonarsource.com/t/sonarqube-scan-action-v5-3-1-is-broken/147965

[ericcornelissen]

Any particular reason the use of ${{ inputs.scannerVersion }} in

sonarqube-scan-action/action.yml

Line 51 in 5837ebf

run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH

is trusted while ${{ inputs.args }} wasn't and was changed here? I would expect all inputs to be untrusted, hence the above to be fixed too 🤔