From 48df3121afe8effbd9b2ce7e349cf356131165a6 Mon Sep 17 00:00:00 2001 From: Martin Atkins Date: Wed, 13 Mar 2024 10:20:23 -0700 Subject: [PATCH] go.mod: go get github.com/mattn/go-shellwords@v1.0.12 We use this library only for interpreting the "TF_CLI_ARG_..." environment variables as additional command line arguments, so the potential impact of this is very limited. The upstream changes here expand on the supported dynamic behavior around backtick command execution and nested environment variable expansion. We don't use either of those features, but just to make sure I changed the code to force them off (since otherwise another package in the program could change the package's global configuration) and added test cases that will fail if they end up turned on. --- go.mod | 2 +- go.sum | 4 ++-- main.go | 7 ++++++- main_test.go | 37 +++++++++++++++++++++++++++---------- 4 files changed, 36 insertions(+), 14 deletions(-) diff --git a/go.mod b/go.mod index 22c9d3d3f731..2aa5a54a6f0a 100644 --- a/go.mod +++ b/go.mod @@ -50,7 +50,7 @@ require ( github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 github.com/masterzen/winrm v0.0.0-20200615185753-c42b5136ff88 github.com/mattn/go-isatty v0.0.20 - github.com/mattn/go-shellwords v1.0.4 + github.com/mattn/go-shellwords v1.0.12 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-linereader v0.0.0-20190213213312-1b945b3263eb diff --git a/go.sum b/go.sum index 62a34a73d9ce..fe93c5ad38ca 100644 --- a/go.sum +++ b/go.sum @@ -832,8 +832,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-shellwords v1.0.4 h1:xmZZyxuP+bYKAKkA9ABYXVNJ+G/Wf3R8d8vAP3LDJJk= -github.com/mattn/go-shellwords v1.0.4/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= +github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mergestat/timediff v0.0.3 h1:ucCNh4/ZrTPjFZ081PccNbhx9spymCJkFxSzgVuPU+Y= github.com/mergestat/timediff v0.0.3/go.mod h1:yvMUaRu2oetc+9IbPLYBJviz6sA7xz8OXMDfhBl7YSI= diff --git a/main.go b/main.go index f78e5c1e3f60..cce3f5f998ad 100644 --- a/main.go +++ b/main.go @@ -359,8 +359,13 @@ func mergeEnvArgs(envName string, cmd string, args []string) ([]string, error) { return args, nil } + swParser := &shellwords.Parser{ + ParseEnv: false, + ParseBacktick: false, + } + log.Printf("[INFO] %s value: %q", envName, v) - extra, err := shellwords.Parse(v) + extra, err := swParser.Parse(v) if err != nil { return nil, fmt.Errorf( "Error parsing extra CLI args from %s: %s", diff --git a/main_test.go b/main_test.go index 4921640014b8..addd07dfebaa 100644 --- a/main_test.go +++ b/main_test.go @@ -34,7 +34,7 @@ func TestMain_cliArgsFromEnv(t *testing.T) { cases := []struct { Name string Args []string - Value string + EnvValue string Expected []string Err bool }{ @@ -111,19 +111,36 @@ func TestMain_cliArgsFromEnv(t *testing.T) { []string{"-foo", "'bar baz'", "foo"}, false, }, + + { + "backticks taken literally", + // The shellwords library we use to parse the environment variables + // has the option to automatically execute commands written in + // backticks. This test is here to make sure we don't accidentally + // enable that. + []string{testCommandName, "foo"}, + "-foo `echo nope`", + []string{"-foo", "`echo nope`", "foo"}, + false, + }, + + { + "no nested environment variable expansion", + // The shellwords library we use to parse the environment variables + // has the option to automatically expand sequences that appear + // to be environment variable interpolations. This test is here to + // make sure we don't accidentally enable that. + []string{testCommandName, "foo"}, + "-foo $OTHER_ENV", + []string{"-foo", "$OTHER_ENV", "foo"}, + false, + }, } for i, tc := range cases { t.Run(fmt.Sprintf("%d-%s", i, tc.Name), func(t *testing.T) { - os.Unsetenv(EnvCLI) - defer os.Unsetenv(EnvCLI) - - // Set the env var value - if tc.Value != "" { - if err := os.Setenv(EnvCLI, tc.Value); err != nil { - t.Fatalf("err: %s", err) - } - } + t.Setenv(EnvCLI, tc.EnvValue) + t.Setenv("OTHER_ENV", "placeholder") // Set up the args args := make([]string, len(tc.Args)+1)