diff --git a/go.mod b/go.mod index 22c9d3d3f731..2aa5a54a6f0a 100644 --- a/go.mod +++ b/go.mod @@ -50,7 +50,7 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/masterzen/winrm v0.0.0-20200615185753-c42b5136ff88 github.com/mattn/go-isatty v0.0.20 - github.com/mattn/go-shellwords v1.0.4 + github.com/mattn/go-shellwords v1.0.12 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-linereader v0.0.0-20190213213312-1b945b3263eb diff --git a/go.sum b/go.sum index 62a34a73d9ce..fe93c5ad38ca 100644 --- a/go.sum +++ b/go.sum @@ -832,8 +832,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-shellwords v1.0.4 h1:xmZZyxuP+bYKAKkA9ABYXVNJ+G/Wf3R8d8vAP3LDJJk= -github.com/mattn/go-shellwords v1.0.4/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= +github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mergestat/timediff v0.0.3 h1:ucCNh4/ZrTPjFZ081PccNbhx9spymCJkFxSzgVuPU+Y= github.com/mergestat/timediff v0.0.3/go.mod h1:yvMUaRu2oetc+9IbPLYBJviz6sA7xz8OXMDfhBl7YSI= diff --git a/main.go b/main.go index f78e5c1e3f60..cce3f5f998ad 100644 --- a/main.go +++ b/main.go @@ -359,8 +359,13 @@ func mergeEnvArgs(envName string, cmd string, args []string) ([]string, error) { return args, nil } + swParser := &shellwords.Parser{ + ParseEnv: false, + ParseBacktick: false, + } + log.Printf("[INFO] %s value: %q", envName, v) - extra, err := shellwords.Parse(v) + extra, err := swParser.Parse(v) if err != nil { return nil, fmt.Errorf( "Error parsing extra CLI args from %s: %s", diff --git a/main_test.go b/main_test.go index 4921640014b8..addd07dfebaa 100644 --- a/main_test.go +++ b/main_test.go @@ -34,7 +34,7 @@ func TestMain_cliArgsFromEnv(t *testing.T) { cases := []struct { Name string Args []string - Value string + EnvValue string Expected []string Err bool }{ @@ -111,19 +111,36 @@ func TestMain_cliArgsFromEnv(t *testing.T) { []string{"-foo", "'bar baz'", "foo"}, false, }, + + { + "backticks taken literally", + // The shellwords library we use to parse the environment variables + // has the option to automatically execute commands written in + // backticks. This test is here to make sure we don't accidentally + // enable that. + []string{testCommandName, "foo"}, + "-foo `echo nope`", + []string{"-foo", "`echo nope`", "foo"}, + false, + }, + + { + "no nested environment variable expansion", + // The shellwords library we use to parse the environment variables + // has the option to automatically expand sequences that appear + // to be environment variable interpolations. This test is here to + // make sure we don't accidentally enable that. + []string{testCommandName, "foo"}, + "-foo $OTHER_ENV", + []string{"-foo", "$OTHER_ENV", "foo"}, + false, + }, } for i, tc := range cases { t.Run(fmt.Sprintf("%d-%s", i, tc.Name), func(t *testing.T) { - os.Unsetenv(EnvCLI) - defer os.Unsetenv(EnvCLI) - - // Set the env var value - if tc.Value != "" { - if err := os.Setenv(EnvCLI, tc.Value); err != nil { - t.Fatalf("err: %s", err) - } - } + t.Setenv(EnvCLI, tc.EnvValue) + t.Setenv("OTHER_ENV", "placeholder") // Set up the args args := make([]string, len(tc.Args)+1)