rsenden
commented
1 month ago Some testing on this seems to indicate that something like user-specified EXTRA_PACKAGE_OPTS: -opt "arg with space" --other-opt actually works just fine with the internal/run action, but further testing would be useful.
We now also have the internal/run-script action; we need to test whether user-specified EXTRA_*_OPTS referenced in scripts executed through this action also properly handle quoted options containing spaces. An example is EXTRA_SC_SAST_SCAN_OPTS as used in sc-sast-and-debricked-scan.sh.
As described in #15,
@actions/execseems to eat/ignore double quotes around command arguments, causing issues if arguments contain spaces. This has been fixed for app/version/release names containing spaces when invoking FortifyVulnerabilityExporter by using triple single quotes, however there are many other places where we use double quotes to handle potential spaces. In most places, it's unlikely but not impossible that arguments containing spaces are being passed.Ideally, the
internal/runaction should properly handle arguments surrounded by double quotes, to fix handling of spaces in all actions, including for multi-argument environment variables passed by the calling workflow likeEXTRA_PACKAGE_OPTS, i.e. users should be able to pass something likeEXTRA_PACKAGE_OPTS: -opt "arg with space" --other-opt, which theinternal/runaction should pass as 3 (and not 5) separate command-line arguments.Alternatively but less preferable, we could update all actions to use triple single quotes instead of double quotes to properly handle arguments containing spaces internally, but we'd then also need to document this approach for user-provided environment variables. In the example above, users would need to pass
EXTRA_PACKAGE_OPTS: -opt '''arg with space''' --other-optinstead. Users are not accustomed to such notation, so this can easily lead to unexpected results and errors.