From 5b7807d54bea123b38714ffb19570eda182017ed Mon Sep 17 00:00:00 2001 From: Florian Braun Date: Wed, 31 Mar 2021 03:09:08 +0200 Subject: [PATCH] Quote vars in entrypoint.sh to prevent unwanted argument split (#420) Prevents arguments from being split when e.g. the RUNNER_GROUP variable contains spaces (which is legit. One can create such groups in GitHub). I've seen that all workers with group names that contain no spaces can register successfully, while all workers with groups that contain spaces will not register. Furthermore, I suppose also other chars can be used here to inject arbitrary commands in an unsupported way via e.g. pipe symbol. Quoting the vars correctly should prevent that and allow for e.g. group names and runner labels with spaces and other bash reserved characters. --- runner/entrypoint.sh | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/runner/entrypoint.sh b/runner/entrypoint.sh index 27c71305..17de836c 100755 --- a/runner/entrypoint.sh +++ b/runner/entrypoint.sh @@ -29,21 +29,13 @@ else exit 1 fi -if [ -n "${RUNNER_WORKDIR}" ]; then - WORKDIR_ARG="--work ${RUNNER_WORKDIR}" -fi - -if [ -n "${RUNNER_LABELS}" ]; then - LABEL_ARG="--labels ${RUNNER_LABELS}" -fi - if [ -z "${RUNNER_TOKEN}" ]; then echo "RUNNER_TOKEN must be set" 1>&2 exit 1 fi if [ -z "${RUNNER_REPO}" ] && [ -n "${RUNNER_GROUP}" ];then - RUNNER_GROUP_ARG="--runnergroup ${RUNNER_GROUP}" + RUNNER_GROUPS=${RUNNER_GROUP} fi # Hack due to https://github.com/summerwind/actions-runner-controller/issues/252#issuecomment-758338483 @@ -56,7 +48,14 @@ sudo chown -R runner:docker /runner mv /runnertmp/* /runner/ cd /runner -./config.sh --unattended --replace --name "${RUNNER_NAME}" --url "${GITHUB_URL}${ATTACH}" --token "${RUNNER_TOKEN}" ${RUNNER_GROUP_ARG} ${LABEL_ARG} ${WORKDIR_ARG} +./config.sh --unattended --replace \ + --name "${RUNNER_NAME}" \ + --url "${GITHUB_URL}${ATTACH}" \ + --token "${RUNNER_TOKEN}" \ + --runnergroup "${RUNNER_GROUPS}" \ + --labels "${RUNNER_LABELS}" \ + --work "${RUNNER_WORKDIR}" + mkdir ./externals # Hack due to the DinD volumes mv ./externalstmp/* ./externals/