Skip to content

Commit 8d5c9df

Browse files
bschwedlerbschwedler
committed
Fix shell injection and test false-positive
Use bash arrays for bakery command construction in shared workflows. Inputs are quoted via env vars and conditionally appended, preventing word-splitting or metacharacter injection. Fix globemaster-allium test to assert mock was called and at least one call includes the expected channel value, preventing false-positive pass on zero calls.
1 parent eaf52a6 commit 8d5c9df

3 files changed

Lines changed: 22 additions & 12 deletions

File tree

.github/workflows/bakery-build-native.yml

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -105,17 +105,23 @@ jobs:
105105
- name: Images by Version/Platform
106106
id: images-by-platform
107107
env:
108-
DEV_STREAM_FLAG: ${{ inputs['dev-stream'] != '' && format('--dev-stream {0}', inputs['dev-stream']) || '' }}
109-
DEV_CHANNEL_FLAG: ${{ inputs['dev-channel'] != '' && format('--value channel={0}', inputs['dev-channel']) || '' }}
108+
DEV_STREAM: ${{ inputs['dev-stream'] }}
109+
DEV_CHANNEL: ${{ inputs['dev-channel'] }}
110110
run: |
111-
echo "platform_matrix=$(bakery ci matrix --quiet --dev-versions ${{ inputs.dev-versions }} --matrix-versions ${{ inputs.matrix-versions }} $DEV_STREAM_FLAG $DEV_CHANNEL_FLAG --context ${{ inputs.context }} | jq --compact-output .)" >> $GITHUB_OUTPUT
111+
ARGS=(--quiet --dev-versions "${{ inputs.dev-versions }}" --matrix-versions "${{ inputs.matrix-versions }}" --context "${{ inputs.context }}")
112+
[[ -n "$DEV_STREAM" ]] && ARGS+=(--dev-stream "$DEV_STREAM")
113+
[[ -n "$DEV_CHANNEL" ]] && ARGS+=(--value "channel=$DEV_CHANNEL")
114+
echo "platform_matrix=$(bakery ci matrix "${ARGS[@]}" | jq --compact-output .)" >> $GITHUB_OUTPUT
112115
- name: Images by Version
113116
id: images-by-version
114117
env:
115-
DEV_STREAM_FLAG: ${{ inputs['dev-stream'] != '' && format('--dev-stream {0}', inputs['dev-stream']) || '' }}
116-
DEV_CHANNEL_FLAG: ${{ inputs['dev-channel'] != '' && format('--value channel={0}', inputs['dev-channel']) || '' }}
118+
DEV_STREAM: ${{ inputs['dev-stream'] }}
119+
DEV_CHANNEL: ${{ inputs['dev-channel'] }}
117120
run: |
118-
echo "versions_matrix=$(bakery ci matrix --quiet --dev-versions ${{ inputs.dev-versions }} --matrix-versions ${{ inputs.matrix-versions }} $DEV_STREAM_FLAG $DEV_CHANNEL_FLAG --exclude platform --context ${{ inputs.context }} | jq --compact-output .)" >> $GITHUB_OUTPUT
121+
ARGS=(--quiet --dev-versions "${{ inputs.dev-versions }}" --matrix-versions "${{ inputs.matrix-versions }}" --exclude platform --context "${{ inputs.context }}")
122+
[[ -n "$DEV_STREAM" ]] && ARGS+=(--dev-stream "$DEV_STREAM")
123+
[[ -n "$DEV_CHANNEL" ]] && ARGS+=(--value "channel=$DEV_CHANNEL")
124+
echo "versions_matrix=$(bakery ci matrix "${ARGS[@]}" | jq --compact-output .)" >> $GITHUB_OUTPUT
119125
120126
build-test:
121127
name: "Build/Test ${{ matrix.img.image }}:${{ matrix.img.version }} (${{ matrix.img.platform }})"

.github/workflows/bakery-build.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -95,10 +95,13 @@ jobs:
9595
- name: Images
9696
id: images
9797
env:
98-
DEV_STREAM_FLAG: ${{ inputs['dev-stream'] != '' && format('--dev-stream {0}', inputs['dev-stream']) || '' }}
99-
DEV_CHANNEL_FLAG: ${{ inputs['dev-channel'] != '' && format('--value channel={0}', inputs['dev-channel']) || '' }}
98+
DEV_STREAM: ${{ inputs['dev-stream'] }}
99+
DEV_CHANNEL: ${{ inputs['dev-channel'] }}
100100
run: |
101-
echo "matrix=$(bakery ci matrix --quiet --dev-versions ${{ inputs.dev-versions }} --matrix-versions ${{ inputs.matrix-versions }} $DEV_STREAM_FLAG $DEV_CHANNEL_FLAG --context ${{ inputs.context }} | jq --compact-output .)" >> $GITHUB_OUTPUT
101+
ARGS=(--quiet --dev-versions "${{ inputs.dev-versions }}" --matrix-versions "${{ inputs.matrix-versions }}" --context "${{ inputs.context }}")
102+
[[ -n "$DEV_STREAM" ]] && ARGS+=(--dev-stream "$DEV_STREAM")
103+
[[ -n "$DEV_CHANNEL" ]] && ARGS+=(--value "channel=$DEV_CHANNEL")
104+
echo "matrix=$(bakery ci matrix "${ARGS[@]}" | jq --compact-output .)" >> $GITHUB_OUTPUT
102105
103106
build:
104107
name: "${{ matrix.img.image }}:${{ matrix.img.version }}"

posit-bakery/test/config/image/test_image.py

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -804,9 +804,10 @@ def test_load_dev_versions_values_override_channel_url(self):
804804
# The override should replace config default.
805805
assert i.devVersions[0].values["channel"] == "globemaster-allium"
806806
# The overridden value should be passed to get_product_artifact_by_stream.
807-
for call in mock_get.call_args_list:
808-
if call.kwargs.get("values"):
809-
assert call.kwargs["values"]["channel"] == "globemaster-allium"
807+
assert mock_get.called
808+
assert any(
809+
call.kwargs.get("values", {}).get("channel") == "globemaster-allium" for call in mock_get.call_args_list
810+
)
810811

811812
def test_render_ephemeral_version_files(self, get_tmpcontext, common_image_variants_objects):
812813
"""Test that render_ephemeral_version_files creates the correct directory structure for an ephemeral version."""

0 commit comments

Comments
 (0)