fix value escaping in codeql-env.sh #477
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hmakholm
force-pushed
the
hmakholm/pr/fix-escaping
branch
2 times, most recently
from
4a4a2ac
to
44ebca1
Compare
aeisenberg
reviewed
May 5, 2021
src/runner.ts
Outdated
| @@ -249,7 +249,7 @@ program | |||
| const shEnvFileContents = Object.entries(tracerConfig.env) | |||
| // Some vars contain ${LIB} that we do not want to be expanded when executing this script | |||
| .map( | |||
| ([key, value]) => `export ${key}="${value.replace(/\$/g, "\\$")}"` | |||
| ([key, value]) => "export " + key + "='" + value.replace(/'/g, "'\"'\"'") + "'" | |||
There was a problem hiding this comment.
Suggested change
| ([key, value]) => "export " + key + "='" + value.replace(/'/g, "'\"'\"'") + "'" | |
| ([key, value]) => `export ${key}='${value.replace(/'/g, "'\"'\"'")}'` |
hmakholm
force-pushed
the
hmakholm/pr/fix-escaping
branch
from
44ebca1
to
e7e64d5
Compare
aeisenberg
approved these changes
May 5, 2021
|
I know there are consumers converting the windows output to sh (as they use bash on windows) but I don't know about users converting the sh output. |
aeisenberg
reviewed
May 5, 2021
|
Arrrrgh....also need to update the compile files. Let me just push a change up. |
Co-authored-by: Andrew Eisenberg <[email protected]>
aeisenberg
force-pushed
the
hmakholm/pr/fix-escaping
branch
from
11f9ba6
to
a6ebb19
Compare
|
Do we need a change note warning users of the different quoting? |
|
Based on how we are doing things now, the answer is no. And as we discussed, this might change, but I don't think we should be holding this PR up until we make any process changes. |
|
@hmakholm, merged this for you because you mentioned earlier that you kept having merge conflicts if you waited too long. |
|
Thank you! |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CodeQL itself complained (correctly) that the escaping here would fail if the value contains backslashes.
Switch to single-quoting, which is less tricky to escape.
Hmmm, how confident are we that there are not consumers that try to parse
codeql-env.shthemselves and will break if they don't find double quotes? They should be using the JSON output instead, but still ...Merge / deployment checklist