Skip to content

Add function shellescape to quote input parameters

Philipp Hahnrequested to merge
gitlab-community/gitlab-org/gitlab:phahn/fix-shellescape into master

What does this MR do and why?

Add function shellescape to quote input parameters

When $[[ inputs.… ]] is used directly inside a script:, it goes through the shells expansion unless the argument is quoted. Sadly neither single quotes (') nor double quotes (") can be used safely as the value from the input may contain those quotes itself, which then would interrupt the quoting and/or introduce syntax errors.

This even allows executing code as Command substitution is done by the shell.

Introduce the function shellescape, which can be used to properly quote any input parameter of type: string to be used in script: directly:

example job:
  script: printf '%\n' $[[ input.var | shellescape ]]

Quoting from shellescape:

Note that a resulted string should be used unquoted and is not intended for use in double quotes nor in single quotes.

Signed-off-by: Philipp Hahn p.hahn@avm.de Closes: #568289

References

How to set up and validate locally

  1. Create component project from template gitlab-component-template and overwrite templates/my-component.yaml: 
    spec:
  inputs:
    value:
---
test-job:
  script: printf '%s\n' $[[ inputs.value | shellescape ]]
  2. Create 2nd project using using that component in its .gitlab-ci.yml: 
    include:
  - component: https://gitlab.com/<your project path>/my-component@<branch_or_tag>
    inputs:
      value: |
        any string full of (evil) shell code you can think of including !"#$&'()<>?[]`{}~, blanks, new-lines, …
  3. Check console output to make sure that the value is printed "as-is" and not interpreted as shell meta-characters

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Philipp Hahn

Merge request reports