Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exported environment variables w/quotes break the docker run command #103

Closed
MT-Jacobs opened this issue May 30, 2023 · 1 comment · Fixed by #105
Closed

Exported environment variables w/quotes break the docker run command #103

MT-Jacobs opened this issue May 30, 2023 · 1 comment · Fixed by #105
Assignees
Labels
bug Something is not working

Comments

@MT-Jacobs
Copy link

MT-Jacobs commented May 30, 2023

Let's start with my branch of Azure/cli here as the diff from source shows how I enabled logging of the docker run command to find the issue: https://github.com/MT-Jacobs/azure-cli

The file I edited is in src/main.ts.

Anyhow -

If you run Azure CLI commands, you might choose to pass along an environment variable to the docker run command like so:

docker run ...
-e "COMMIT_MESSAGE=Message here"
...
mcr.microsoft.com/azure-cli:2.48.1  bash --noprofile --norc
...

However, if the variable has quotes in it - like can often happen if you, say, supplied a commit message for a revert in Github - you get the following:

docker run ...
-e "COMMIT_MESSAGE=Revert "Original commit message" (#882)"
...
mcr.microsoft.com/azure-cli:2.48.1  bash --noprofile --norc
...

these un-escaped quotes break parsing of the docker run command and results in a misleading message:

Error: Error: docker: invalid reference format: repository name must be lowercase.
See 'docker run --help'.

Environment variables need to be properly escaped. The issue is in this area of the script, I believe:

        let environmentVariables = '';
        for (let key in process.env) {
            // if (key.toUpperCase().startsWith("GITHUB_") && key.toUpperCase() !== 'GITHUB_WORKSPACE' && process.env[key]){
            if (!checkIfEnvironmentVariableIsOmitted(key) && process.env[key]) {
                environmentVariables += ` -e "${key}=${process.env[key]}" `;
            }
        }
@MT-Jacobs MT-Jacobs added the need-to-triage Requires investigation label May 30, 2023
@MT-Jacobs MT-Jacobs changed the title Commit messages with quotes (and other environment variables w/quotes) break the docker run command Exported environment variables w/quotes break the docker run command May 30, 2023
@MoChilia MoChilia assigned MoChilia and unassigned bishal-pdMSFT and t-dedah Jun 1, 2023
@jiasli
Copy link
Member

jiasli commented Jun 2, 2023

This is a nice finding.

environmentVariables string is constructed by appending process.env without proper escaping:

cli/src/main.ts

Lines 54 to 59 in 68f0d36

for (let key in process.env) {
// if (key.toUpperCase().startsWith("GITHUB_") && key.toUpperCase() !== 'GITHUB_WORKSPACE' && process.env[key]){
if (!checkIfEnvironmentVariableIsOmitted(key) && process.env[key]) {
environmentVariables += ` -e "${key}=${process.env[key]}" `;
}
}

Then the dockerCommand gets executed through exec.exec:

cli/src/main.ts

Line 143 in 68f0d36

exitCode = await exec.exec(`"${dockerTool}" ${dockerCommand}`, [], execOptions);

I am not an expert on TypeScript, but I can provide some insights from Python's perspective (Azure CLI itself is written in Python).

Python's subprocess.Popen accepts args as either a list or string:

  1. If args is a list, the subprocess module takes care of escaping and quoting of arguments.
  2. If args is a string, the caller must ensure arguments are correctly escaped and quoted to avoid shell injection vulnerabilities, possibly with shlex.quote().

See

Apparently, in Azure/cli GitHub Action's implementation, it is the second case - args is a string, but not escaped correctly. We need to investigate how to achieve the same in TypeScript to avoid such shell injection.

@github-actions github-actions bot added the stale 90 days old label Jun 9, 2023
@MoChilia MoChilia removed the stale 90 days old label Jun 9, 2023
@Azure Azure deleted a comment from github-actions bot Jun 9, 2023
@MoChilia MoChilia added bug Something is not working and removed need-to-triage Requires investigation labels Jun 25, 2023
MoChilia added a commit that referenced this issue Jun 30, 2023
…s` (#105)

* escape by args

* remove redundant output

* fix with comments

* update for comment
MoChilia added a commit to MoChilia/cli that referenced this issue Aug 9, 2023
MoChilia added a commit that referenced this issue Aug 9, 2023
…s` (#105)

* escape by args

* remove redundant output

* fix with comments

* update for comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working
Projects
None yet
5 participants