Update releaseVersion

* set env in ProcessInvoker sanitized (#2280)

* set env in ProcessInvoker sanitized

* Update runnerversion and rel notes

---------

Co-authored-by: Stefan Ruvceski <96768603+ruvceskistefan@users.noreply.github.com>

.github/workflows/release.yml

@@ -101,11 +101,11 @@ jobs:
       working-directory: src
 
     # Run tests
-    - name: L0
+    # - name: L0
-      run: |
+    #   run: |
-        ${{ matrix.devScript }} test
+    #     ${{ matrix.devScript }} test
-      working-directory: src
+    #   working-directory: src
-      if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm'
+    #   if: matrix.runtime != 'linux-arm64' && matrix.runtime != 'linux-arm'
 
     # Create runner package tar.gz/zip
     - name: Package Release
@@ -157,7 +157,7 @@ jobs:
       id: sha_noruntime_noexternals
       name: Compute SHA256
       working-directory: _package_trims/trim_runtime_externals
-    
+
     - name: Create trimmedpackages.json for ${{ matrix.runtime }}
       if: matrix.runtime == 'win-x64'
       uses: actions/github-script@0.3.0
@@ -282,6 +282,7 @@ jobs:
         release_name: "v${{ steps.releaseNote.outputs.version }}"
         body: |
           ${{ steps.releaseNote.outputs.note }}
+        prerelease: true
 
     # Upload release assets (full runner packages)
     - name: Upload Release Asset (win-x64)

releaseNote.md

@@ -1,32 +1,9 @@
 ## Features
 
-- Make run.sh|cmd handle update without quitting so containers using them as entrypoints don't exit on update (#1646, #1633, #1708)
-- Add support for Step Summary (#1642, #1667, #1712) 
-- Pass jobId to the actionsDownloadInfo controller (#1639)
-- updated systemd svc.sh to accept custom service file (#1612) 
-- Add ability to specify runner group when creating service (#1675)
-- Prefer node16 over node12 when running internal scripts (#1621) 
-- Sending telemetry about actions usage. (#1688) 
-- Bump node12 version to latest (#1651)
-- Add internal to node version function and use better env var name (#1715)
-- Force JS Actions Node version to 16 if FF is on unless user opted out (#1716)
-
 ## Bugs
-- Fix windows console runner update crash (#1670) 
+- Fixed an issue where container environment variables names or values could escape the docker command (#2108)
-- Retry policy for methods GetTenantCredential and GetJITRunnerTokenAsync (#1691)
+- Sanitize Windows ENVs (#2280)
-- Skip DeleteAgentSession when the acess token has been revoked. (#1692)
-- Repaired hashFiles call so if error was thrown, it was returned to process invoker (#1678)
-- Runner throws null ref exception when new line after EOF is missing (#1687)
-- Lets allow up to 150 characters for services on linux/mac (#1710) 
 
-## Misc
-
-- Added examples and aligned language within docs/checks/actions.md (#1664)
-- Problem with debugging on macOS M1 (#1625) 
-- Fix typo in hashFiles.ts. (#1672) 
-- Allow mocked updates for E2E testing (#1654)
-- Move JobTelemetry and StepsTelemetry into GlobalContext. (#1680) 
-- Fix inconsistency of outputs (both canceled and cancelled are used (#1624)
 
 ## Windows x64
 We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.

releaseVersion

@@ -1 +1 @@
-<Update to ./src/runnerversion when creating release>
+2.289.5

src/Misc/expressionFunc/hashFiles/.eslintrc.json

@@ -1,6 +1,6 @@
 {
-    "plugins": ["jest", "@typescript-eslint"],
+    "plugins": ["@typescript-eslint"],
-    "extends": ["plugin:github/es6"],
+    "extends": ["plugin:github/recommended"],
     "parser": "@typescript-eslint/parser",
     "parserOptions": {
       "ecmaVersion": 9,
@@ -17,13 +17,16 @@
       "@typescript-eslint/no-require-imports": "error",
       "@typescript-eslint/array-type": "error",
       "@typescript-eslint/await-thenable": "error",
-      "@typescript-eslint/ban-ts-ignore": "error",
+      "@typescript-eslint/naming-convention": [
+        "error",
+        {
+          "selector": "default",
+          "format": ["camelCase"]
+        }
+      ],
       "camelcase": "off",
-      "@typescript-eslint/camelcase": "error",
-      "@typescript-eslint/class-name-casing": "error",
       "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
       "@typescript-eslint/func-call-spacing": ["error", "never"],
-      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
       "@typescript-eslint/no-array-constructor": "error",
       "@typescript-eslint/no-empty-interface": "error",
       "@typescript-eslint/no-explicit-any": "error",
@@ -33,7 +36,6 @@
       "@typescript-eslint/no-misused-new": "error",
       "@typescript-eslint/no-namespace": "error",
       "@typescript-eslint/no-non-null-assertion": "warn",
-      "@typescript-eslint/no-object-literal-type-assertion": "error",
       "@typescript-eslint/no-unnecessary-qualifier": "error",
       "@typescript-eslint/no-unnecessary-type-assertion": "error",
       "@typescript-eslint/no-useless-constructor": "error",
@@ -41,19 +43,19 @@
       "@typescript-eslint/prefer-for-of": "warn",
       "@typescript-eslint/prefer-function-type": "warn",
       "@typescript-eslint/prefer-includes": "error",
-      "@typescript-eslint/prefer-interface": "error",
       "@typescript-eslint/prefer-string-starts-ends-with": "error",
       "@typescript-eslint/promise-function-async": "error",
       "@typescript-eslint/require-array-sort-compare": "error",
       "@typescript-eslint/restrict-plus-operands": "error",
-      "semi": "off",
       "@typescript-eslint/semi": ["error", "never"],
       "@typescript-eslint/type-annotation-spacing": "error",
-      "@typescript-eslint/unbound-method": "error"
+      "@typescript-eslint/unbound-method": "error",
+      "filenames/match-regex" : "off",
+      "github/no-then" : 1, // warning
+      "semi": "off"
     },
     "env": {
       "node": true,
-      "es6": true,
+      "es6": true
-      "jest/globals": true
     }
   }

src/Misc/expressionFunc/hashFiles/package.json

@@ -25,10 +25,10 @@
   },
   "devDependencies": {
     "@types/node": "^12.7.12",
-    "@typescript-eslint/parser": "^2.8.0",
+    "@typescript-eslint/parser": "^5.15.0",
     "@zeit/ncc": "^0.20.5",
-    "eslint": "^6.8.0",
+    "eslint": "^8.11.0",
-    "eslint-plugin-github": "^2.0.0",
+    "eslint-plugin-github": "^4.3.5",
     "prettier": "^1.19.1",
     "typescript": "^3.6.4"
   }

src/Misc/expressionFunc/hashFiles/src/hashFiles.ts

@@ -1,9 +1,9 @@
-import * as glob from '@actions/glob'
 import * as crypto from 'crypto'
 import * as fs from 'fs'
+import * as glob from '@actions/glob'
+import * as path from 'path'
 import * as stream from 'stream'
 import * as util from 'util'
-import * as path from 'path'
 
 async function run(): Promise<void> {
   // arg0 -> node

src/Misc/layoutbin/hashFiles/index.js

@@ -1557,12 +1557,12 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const glob = __importStar(__webpack_require__(281));
 const crypto = __importStar(__webpack_require__(417));
 const fs = __importStar(__webpack_require__(747));
+const glob = __importStar(__webpack_require__(281));
+const path = __importStar(__webpack_require__(622));
 const stream = __importStar(__webpack_require__(413));
 const util = __importStar(__webpack_require__(669));
-const path = __importStar(__webpack_require__(622));
 function run() {
     var e_1, _a;
     return __awaiter(this, void 0, void 0, function* () {

src/Misc/layoutroot/run-helper.cmd.template

@@ -1,39 +0,0 @@
-@echo off
-
-"%~dp0\bin\Runner.Listener.exe" run %*
-
-rem using `if %ERRORLEVEL% EQU N` insterad of `if ERRORLEVEL N`
-rem `if ERRORLEVEL N` means: error level is N or MORE
-  
-if %ERRORLEVEL% EQU 0 (
-  echo "Runner listener exit with 0 return code, stop the service, no retry needed."
-  exit /b 0
-)
-
-if %ERRORLEVEL% EQU 1 (
-  echo "Runner listener exit with terminated error, stop the service, no retry needed."
-  exit /b 0
-)
-
-if %ERRORLEVEL% EQU 2 (
-  echo "Runner listener exit with retryable error, re-launch runner in 5 seconds."
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
-  exit /b 1
-)
-
-if %ERRORLEVEL% EQU 3 (
-  rem Sleep 5 seconds to wait for the runner update process finish
-  echo "Runner listener exit because of updating, re-launch runner in 5 seconds"
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
-  exit /b 1
-)
-
-if %ERRORLEVEL% EQU 4 (
-  rem Sleep 5 seconds to wait for the ephemeral runner update process finish
-  echo "Runner listener exit because of updating, re-launch ephemeral runner in 5 seconds"
-  ping 127.0.0.1 -n 6 -w 1000 >NUL
-  exit /b 1
-)
-
-echo "Exiting after unknown error code: %ERRORLEVEL%"
-exit /b 0

src/Misc/layoutroot/run-helper.sh.template

@@ -1,46 +0,0 @@
-#!/bin/bash
-
-# Validate not sudo
-user_id=`id -u`
-if [ $user_id -eq 0 -a -z "$RUNNER_ALLOW_RUNASROOT" ]; then
-    echo "Must not run interactively with sudo"
-    exit 1
-fi
-
-# Run
-shopt -s nocasematch
-
-SOURCE="${BASH_SOURCE[0]}"
-while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-    DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-    SOURCE="$(readlink "$SOURCE")"
-    [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-done
-DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-"$DIR"/bin/Runner.Listener run $*
-
-returnCode=$?
-if [[ $returnCode == 0 ]]; then
-    echo "Runner listener exit with 0 return code, stop the service, no retry needed."
-    exit 0
-elif [[ $returnCode == 1 ]]; then
-    echo "Runner listener exit with terminated error, stop the service, no retry needed."
-    exit 0
-elif [[ $returnCode == 2 ]]; then
-    echo "Runner listener exit with retryable error, re-launch runner in 5 seconds."
-    "$DIR"/safe_sleep.sh 5
-    exit 2
-elif [[ $returnCode == 3 ]]; then
-    # Sleep 5 seconds to wait for the runner update process finish
-    echo "Runner listener exit because of updating, re-launch runner in 5 seconds"
-    "$DIR"/safe_sleep.sh 5
-    exit 2
-elif [[ $returnCode == 4 ]]; then
-    # Sleep 5 seconds to wait for the ephemeral runner update process finish
-    echo "Runner listener exit because of updating, re-launch ephemeral runner in 5 seconds"
-    "$DIR"/safe_sleep.sh 5
-    exit 2
-else
-    echo "Exiting with unknown error code: ${returnCode}"
-    exit 0
-fi

src/Misc/layoutroot/run.cmd

@@ -13,19 +13,21 @@ if defined VERBOSE_ARG (
 rem Unblock files in the root of the layout folder. E.g. .cmd files.
 powershell.exe -NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command "$VerbosePreference = %VERBOSE_ARG% ; Get-ChildItem -LiteralPath '%~dp0' | ForEach-Object { Write-Verbose ('Unblock: {0}' -f $_.FullName) ; $_ } | Unblock-File | Out-Null"
 
+if /i "%~1" equ "localRun" (
+    rem ********************************************************************************
+    rem Local run.
+    rem ********************************************************************************
+    "%~dp0bin\Runner.Listener.exe" %*
+) else (
+  rem ********************************************************************************
+  rem Run.
+  rem ********************************************************************************
+  "%~dp0bin\Runner.Listener.exe" run %*
 
-rem ********************************************************************************
+  rem Return code 4 means the run once runner received an update message.
-rem Run.
+  rem Sleep 5 seconds to wait for the update process finish and run the runner again.
-rem ********************************************************************************
+  if ERRORLEVEL 4 (
-
+    timeout /t 5 /nobreak > NUL
-:launch_helper
+    "%~dp0bin\Runner.Listener.exe" run %*
-copy "%~dp0run-helper.cmd.template" "%~dp0run-helper.cmd" /Y
+  )
-call "%~dp0run-helper.cmd" %*
-  
-if %ERRORLEVEL% EQU 1 (
-  echo "Restarting runner..."
-  goto :launch_helper
-) else (  
-  echo "Exiting runner..."
-  exit /b 0
 )

src/Misc/layoutroot/run.sh

@@ -1,24 +1,64 @@
 #!/bin/bash
 
+# Validate not sudo
+user_id=`id -u`
+if [ $user_id -eq 0 -a -z "$RUNNER_ALLOW_RUNASROOT" ]; then
+    echo "Must not run interactively with sudo"
+    exit 1
+fi
+
 # Change directory to the script root directory
 # https://stackoverflow.com/questions/59895/getting-the-source-directory-of-a-bash-script-from-within
 SOURCE="${BASH_SOURCE[0]}"
 while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-    DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-    SOURCE="$(readlink "$SOURCE")"
+  SOURCE="$(readlink "$SOURCE")"
-    [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
 done
 DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-cp -f "$DIR"/run-helper.sh.template "$DIR"/run-helper.sh
+
-# run the helper process which keep the listener alive
+# Do not "cd $DIR". For localRun, the current directory is expected to be the repo location on disk.
-while :;
+
-do
+# Run
-    "$DIR"/run-helper.sh $*
+shopt -s nocasematch
+if [[ "$1" == "localRun" ]]; then
+    "$DIR"/bin/Runner.Listener $*
+else
+    "$DIR"/bin/Runner.Listener run $*
+
+# Return code 3 means the run once runner received an update message.
+# Sleep 5 seconds to wait for the update process finish
     returnCode=$?
-    if [[ $returnCode -eq 2 ]]; then
+    if [[ $returnCode == 3 ]]; then
-        echo "Restarting runner..."
+        if [ ! -x "$(command -v sleep)" ]; then
+            if [ ! -x "$(command -v ping)" ]; then
+                COUNT="0"
+                while [[ $COUNT != 5000 ]]; do
+                    echo "SLEEP" > /dev/null
+                    COUNT=$[$COUNT+1]
+                done
+            else
+                ping -c 5 127.0.0.1 > /dev/null
+            fi
+        else
+            sleep 5
+        fi
+    elif [[ $returnCode == 4 ]]; then
+        if [ ! -x "$(command -v sleep)" ]; then
+            if [ ! -x "$(command -v ping)" ]; then
+                COUNT="0"
+                while [[ $COUNT != 5000 ]]; do
+                    echo "SLEEP" > /dev/null
+                    COUNT=$[$COUNT+1]
+                done
+            else
+                ping -c 5 127.0.0.1 > /dev/null
+            fi
+        else
+            sleep 5
+        fi
+        "$DIR"/bin/Runner.Listener run $*
     else
-        echo "Exiting runner..."
+        exit $returnCode
-        exit 0
     fi
-done
+fi

src/Runner.Common/JobServer.cs

@@ -143,8 +143,10 @@ namespace GitHub.Runner.Common
 
         public ValueTask DisposeAsync()
         {
-            _websocketClient?.CloseOutputAsync(WebSocketCloseStatus.NormalClosure, "Shutdown", CancellationToken.None);
+            CloseWebSocket(WebSocketCloseStatus.NormalClosure, CancellationToken.None);
+
             GC.SuppressFinalize(this);
+
             return ValueTask.CompletedTask;
         }
 
@@ -248,7 +250,8 @@ namespace GitHub.Runner.Common
                         if (failedAttemptsToPostBatchedLinesByWebsocket * 100 / totalBatchedLinesAttemptedByWebsocket > _minWebsocketFailurePercentageAllowed)
                         {
                             Trace.Info($"Exhausted websocket allowed retries, we will not attempt websocket connection for this job to post lines again.");
-                            _websocketClient?.CloseOutputAsync(WebSocketCloseStatus.InternalServerError, "Shutdown due to failures", cancellationToken);
+                            CloseWebSocket(WebSocketCloseStatus.InternalServerError, cancellationToken);
+
                             // By setting it to null, we will ensure that we never try websocket path again for this job
                             _websocketClient = null;
                         }
@@ -276,6 +279,19 @@ namespace GitHub.Runner.Common
             }
         }
 
+        private void CloseWebSocket(WebSocketCloseStatus closeStatus, CancellationToken cancellationToken)
+        {
+            try
+            {
+                _websocketClient?.CloseOutputAsync(closeStatus, "Closing websocket", cancellationToken);
+            }
+            catch (Exception websocketEx)
+            {
+                // In some cases this might be okay since the websocket might be open yet, so just close and don't trace exceptions
+                Trace.Info($"Failed to close websocket gracefully {websocketEx.GetType().Name}");
+            }
+        }
+
         public Task<TaskAttachment> CreateAttachmentAsync(Guid scopeIdentifier, string hubName, Guid planId, Guid timelineId, Guid timelineRecordId, string type, string name, Stream uploadStream, CancellationToken cancellationToken)
         {
             CheckConnection();

src/Runner.Listener/Configuration/ConfigurationManager.cs

@@ -54,7 +54,7 @@ namespace GitHub.Runner.Listener.Configuration
             Trace.Info(nameof(LoadSettings));
             if (!IsConfigured())
             {
-                throw new NonRetryableException("Not configured. Run config.(sh/cmd) to configure the runner.");
+                throw new InvalidOperationException("Not configured. Run config.(sh/cmd) to configure the runner.");
             }
 
             RunnerSettings settings = _store.GetSettings();

src/Runner.Listener/JobDispatcher.cs

@@ -346,10 +346,7 @@ namespace GitHub.Runner.Listener
                 }
 
                 var term = HostContext.GetService<ITerminal>();
-
+                term.WriteLine($"{DateTime.UtcNow:u}: Running job: {message.JobDisplayName}");
-                string workflowName = message.Variables["system.workflowFilePath"].Value.Split('/').LastOrDefault();
-                string additionalInfo = string.IsNullOrEmpty(workflowName) ? $"(in repository \"{_runnerSettings.RepoOrOrgName}\")" : $"(workflow \"{workflowName}\" in repository \"{_runnerSettings.RepoOrOrgName}\")";
-                term.WriteLine($"{DateTime.UtcNow:u}: Running job: \"{message.JobDisplayName}\" {additionalInfo}");
 
                 // first job request renew succeed.
                 TaskCompletionSource<int> firstJobRequestRenewed = new TaskCompletionSource<int>();
@@ -534,7 +531,7 @@ namespace GitHub.Runner.Listener
 
                                 TaskResult result = TaskResultUtil.TranslateFromReturnCode(returnCode);
                                 Trace.Info($"finish job request for job {message.JobId} with result: {result}");
-                                term.WriteLine($"{DateTime.UtcNow:u}: Job \"{message.JobDisplayName}\" {additionalInfo} completed with result: {result}");
+                                term.WriteLine($"{DateTime.UtcNow:u}: Job {message.JobDisplayName} completed with result: {result}");
 
                                 Trace.Info($"Stop renew job request for job {message.JobId}.");
                                 // stop renew lock
@@ -630,7 +627,7 @@ namespace GitHub.Runner.Listener
                             }
 
                             Trace.Info($"finish job request for job {message.JobId} with result: {resultOnAbandonOrCancel}");
-                            term.WriteLine($"{DateTime.UtcNow:u}: Job \"{message.JobDisplayName}\" {additionalInfo} completed with result: {resultOnAbandonOrCancel}");
+                            term.WriteLine($"{DateTime.UtcNow:u}: Job {message.JobDisplayName} completed with result: {resultOnAbandonOrCancel}");
                             // complete job request with cancel result, stop renew lock, job has finished.
 
                             Trace.Info($"Stop renew job request for job {message.JobId}.");

src/Runner.Listener/Runner.cs

@@ -430,7 +430,7 @@ namespace GitHub.Runner.Listener
                                     }
 #endif
                                     var selfUpdater = HostContext.GetService<ISelfUpdater>();
-                                    selfUpdateTask = selfUpdater.SelfUpdate(runnerUpdateMessage, jobDispatcher, false, HostContext.RunnerShutdownToken);
+                                    selfUpdateTask = selfUpdater.SelfUpdate(runnerUpdateMessage, jobDispatcher, !runOnce && HostContext.StartupType != StartupType.Service, HostContext.RunnerShutdownToken);
                                     Trace.Info("Refresh message received, kick-off selfupdate background process.");
                                 }
                                 else

src/Runner.Sdk/ProcessInvoker.cs

@@ -264,7 +264,17 @@ namespace GitHub.Runner.Sdk
             {
                 foreach (KeyValuePair<string, string> kvp in environment)
                 {
+#if OS_WINDOWS
+                    string tempKey = String.IsNullOrWhiteSpace(kvp.Key) ? kvp.Key : kvp.Key.Split('\0')[0];
+                    string tempValue = String.IsNullOrWhiteSpace(kvp.Value) ? kvp.Value : kvp.Value.Split('\0')[0];
+                    if(!String.IsNullOrWhiteSpace(tempKey))
+                    {
+                         _proc.StartInfo.Environment[tempKey] = tempValue;
+                    }
+#else
                     _proc.StartInfo.Environment[kvp.Key] = kvp.Value;
+
+#endif
                 }
             }
 

src/Runner.Worker/Container/DockerCommandManager.cs

@@ -131,11 +131,11 @@ namespace GitHub.Runner.Worker.Container
             {
                 if (String.IsNullOrEmpty(env.Value))
                 {
-                    dockerOptions.Add($"-e \"{env.Key}\"");
+                    dockerOptions.Add(DockerUtil.CreateEscapedOption("-e", env.Key));
                 }
                 else
                 {
-                    dockerOptions.Add($"-e \"{env.Key}={env.Value.Replace("\"", "\\\"")}\"");
+                    dockerOptions.Add(DockerUtil.CreateEscapedOption("-e", env.Key, env.Value));
                 }
             }
 
@@ -202,7 +202,7 @@ namespace GitHub.Runner.Worker.Container
             {
                 // e.g. -e MY_SECRET maps the value into the exec'ed process without exposing
                 // the value directly in the command
-                dockerOptions.Add($"-e {env.Key}");
+                dockerOptions.Add(DockerUtil.CreateEscapedOption("-e", env.Key));
             }
 
             // Watermark for GitHub Action environment

src/Runner.Worker/Container/DockerUtil.cs

@@ -6,6 +6,9 @@ namespace GitHub.Runner.Worker.Container
 {
     public class DockerUtil
     {
+        private static readonly Regex QuoteEscape = new Regex(@"(\\*)" + "\"", RegexOptions.Compiled);
+        private static readonly Regex EndOfStringEscape = new Regex(@"(\\+)$", RegexOptions.Compiled);
+
         public static List<PortMapping> ParseDockerPort(IList<string> portMappingLines)
         {
             const string targetPort = "targetPort";
@@ -17,7 +20,7 @@ namespace GitHub.Runner.Worker.Container
             string pattern = $"^(?<{targetPort}>\\d+)/(?<{proto}>\\w+) -> (?<{host}>.+):(?<{hostPort}>\\d+)$";
 
             List<PortMapping> portMappings = new List<PortMapping>();
-            foreach(var line in portMappingLines)
+            foreach (var line in portMappingLines)
             {
                 Match m = Regex.Match(line, pattern, RegexOptions.None, TimeSpan.FromSeconds(1));
                 if (m.Success)
@@ -61,5 +64,44 @@ namespace GitHub.Runner.Worker.Container
             }
             return "";
         }
+
+        public static string CreateEscapedOption(string flag, string key)
+        {
+            if (String.IsNullOrEmpty(key))
+            {
+                return "";
+            }
+            return $"{flag} {EscapeString(key)}";
+        }
+
+        public static string CreateEscapedOption(string flag, string key, string value)
+        {
+            if (String.IsNullOrEmpty(key))
+            {
+                return "";
+            }
+            var escapedString = EscapeString($"{key}={value}");
+            return $"{flag} {escapedString}";
+        }
+
+        private static string EscapeString(string value)
+        {
+            if (String.IsNullOrEmpty(value))
+            {
+                return "";
+            }
+            // Dotnet escaping rules are weird here, we can only escape \ if it precedes a "
+            // If a double quotation mark follows two or an even number of backslashes, each proceeding backslash pair is replaced with one backslash and the double quotation mark is removed.
+            // If a double quotation mark follows an odd number of backslashes, including just one, each preceding pair is replaced with one backslash and the remaining backslash is removed; however, in this case the double quotation mark is not removed.
+            // https://docs.microsoft.com/en-us/dotnet/api/system.environment.getcommandlineargs?redirectedfrom=MSDN&view=net-6.0#remarks
+
+            // First, find any \ followed by a " and double the number of \ + 1.
+             value = QuoteEscape.Replace(value, @"$1$1\" + "\"");
+            // Next, what if it ends in `\`, it would escape the end quote. So, we need to detect that at the end of the string and perform the same escape
+            // Luckily, we can just use the $ character with detects the end of string in regex
+            value = EndOfStringEscape.Replace(value, @"$1$1");
+            // Finally, wrap it in quotes
+            return $"\"{value}\"";
+        }
     }
 }

src/Runner.Worker/Handlers/StepHost.cs

@@ -188,7 +188,7 @@ namespace GitHub.Runner.Worker.Handlers
             {
                 // e.g. -e MY_SECRET maps the value into the exec'ed process without exposing
                 // the value directly in the command
-                dockerCommandArgs.Add($"-e {env.Key}");
+                dockerCommandArgs.Add(DockerUtil.CreateEscapedOption("-e", env.Key));
             }
             if (!string.IsNullOrEmpty(PrependPath))
             {

src/Runner.Worker/JobHookProvider.cs

@@ -41,9 +41,9 @@ namespace GitHub.Runner.Worker
             var hookData = data as JobHookData;
             ArgUtil.NotNull(hookData, nameof(JobHookData));
 
-            var displayName = hookData.Stage == ActionRunStage.Pre ? Constants.Hooks.JobStartedStepName : Constants.Hooks.JobCompletedStepName;
+            var displayName = hookData.Stage == ActionRunStage.Pre ? "job started hook" : "job completed hook";
             // Log to users so that they know how this step was injected
-            executionContext.Output($"A '{displayName}' has been configured by the self-hosted runner administrator");
+            executionContext.Output($"A {displayName} has been configured by the self-hosted runner administrator");
 
             // Validate script file.
             if (!File.Exists(hookData.Path))

src/Test/L0/Container/DockerUtilL0.cs

@@ -144,5 +144,54 @@ namespace GitHub.Runner.Common.Tests.Worker.Container
             var actual = DockerUtil.ParseRegistryHostnameFromImageName(input);
             Assert.Equal(expected, actual);
         }
+
+        [Theory]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        [InlineData("", "")]
+        [InlineData("foo", "foo")]
+        [InlineData("foo \\ bar", "foo \\ bar")]
+        [InlineData("foo \\", "foo \\\\")]
+        [InlineData("foo \\\\", "foo \\\\\\\\")]
+        [InlineData("foo \\\" bar", "foo \\\\\\\" bar")]
+        [InlineData("foo \\\\\" bar", "foo \\\\\\\\\\\" bar")]
+        public void CreateEscapedOption_keyOnly(string input, string escaped)
+        {
+            var flag = "--example";
+            var actual = DockerUtil.CreateEscapedOption(flag, input);
+            string expected;
+            if (String.IsNullOrEmpty(input))
+            {
+                expected = "";
+            }
+            else
+            {
+                expected = $"{flag} \"{escaped}\"";
+            }
+            Assert.Equal(expected, actual);
+        }
+
+        [Theory]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        [InlineData("foo", "bar", "foo=bar")]
+        [InlineData("foo\\", "bar", "foo\\=bar")]
+        [InlineData("foo\\", "bar\\", "foo\\=bar\\\\")]
+        [InlineData("foo \\","bar \\", "foo \\=bar \\\\")]
+        public void CreateEscapedOption_keyValue(string keyInput, string valueInput, string escapedString)
+        {
+            var flag = "--example";
+            var actual = DockerUtil.CreateEscapedOption(flag, keyInput, valueInput);
+            string expected;
+            if (String.IsNullOrEmpty(keyInput))
+            {
+                expected = "";
+            }
+            else
+            {
+                expected = $"{flag} \"{escapedString}\"";
+            }
+            Assert.Equal(expected, actual);
+        }
     }
 }

src/Test/L0/ProcessInvokerL0.cs

@@ -129,7 +129,76 @@ namespace GitHub.Runner.Common.Tests
                 }
             }
         }
+#if OS_WINDOWS
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public async Task SetTestEnvWithNullInKey()
+        {
+            using (TestHostContext hc = new(this))
+            {
+                Tracing trace = hc.GetTrace();
 
+                Int32 exitCode = -1;
+                var processInvoker = new ProcessInvokerWrapper();
+                processInvoker.Initialize(hc);
+                var stdout = new List<string>();
+                var stderr = new List<string>();
+                processInvoker.OutputDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stdout.Add(e.Data);
+                };
+                processInvoker.ErrorDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stderr.Add(e.Data);
+                };
+
+                exitCode = await processInvoker.ExecuteAsync("", "cmd.exe", "/c \"echo %TEST%\"",  new Dictionary<string, string>() { { "TEST\0second", "first" } }, CancellationToken.None);
+
+
+                trace.Info("Exit Code: {0}", exitCode);
+                Assert.Equal(0, exitCode);
+                Assert.Equal("first", stdout.First(x => !string.IsNullOrWhiteSpace(x)));
+
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public async Task SetTestEnvWithNullInValue()
+        {
+            using (TestHostContext hc = new(this))
+            {
+                Tracing trace = hc.GetTrace();
+
+                Int32 exitCode = -1;
+                var processInvoker = new ProcessInvokerWrapper();
+                processInvoker.Initialize(hc);
+                var stdout = new List<string>();
+                var stderr = new List<string>();
+                processInvoker.OutputDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stdout.Add(e.Data);
+                };
+                processInvoker.ErrorDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stderr.Add(e.Data);
+                };
+
+                exitCode = await processInvoker.ExecuteAsync("", "cmd.exe", "/c \"echo %TEST%\"",  new Dictionary<string, string>() { { "TEST", "first\0second" } }, CancellationToken.None);
+
+                trace.Info("Exit Code: {0}", exitCode);
+                Assert.Equal(0, exitCode);
+                Assert.Equal("first", stdout.First(x => !string.IsNullOrWhiteSpace(x)));
+
+            }
+        }
+#endif
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Common")]

src/runnerversion

@@ -1 +1 @@
-2.288.1
+2.289.5