actions/runner
1
0
Fork 0
mirror of https://github.com/actions/runner.git synced 2025-12-12 15:13:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escaping key and quoting it to avoid key based command injection (#2062)

Browse Source 
* escaping key and quoting it to avoid key based command injection

* extracted creation of flags to DockerUtil, with testing included
This commit is contained in:
Nikola Jokic
2022-08-23 07:42:29 -07:00
committed by GitHub
parent 1cb1779d6b
commit 01fd04464d
4 changed files with 83 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/Runner.Worker/Container/DockerCommandManager.cs
View File

@@ -131,11 +131,11 @@ namespace GitHub.Runner.Worker.Container
{
if (String.IsNullOrEmpty(env.Value))
{
dockerOptions.Add($"-e \"{env.Key}\"");
dockerOptions.Add(DockerUtil.CreateEscapedOption("-e", env.Key));
}
else
{
dockerOptions.Add($"-e \"{env.Key}={env.Value.Replace("\"", "\\\"")}\"");
dockerOptions.Add(DockerUtil.CreateEscapedOption("-e", env.Key, env.Value));
}
}
@@ -202,7 +202,7 @@ namespace GitHub.Runner.Worker.Container
{
// e.g. -e MY_SECRET maps the value into the exec'ed process without exposing
// the value directly in the command
dockerOptions.Add($"-e {env.Key}");
dockerOptions.Add(DockerUtil.CreateEscapedOption("-e", env.Key));
}
// Watermark for GitHub Action environment