Parameters in "params:" value with blank spaces in quotes are interpreted as multiple parameters

[cx-scord]

Description

Parameters added to params: value that have spaces inside quotes are being interpreted as multiple arguments instead of a single argument inside the parameter when executing CxFlow inside the container.

Expected Behavior

When adding parameters to params: section that have a space inside, like for example --jira.open-transition="In Progress" or even when using a split comma list inside like this --jira.open-status="Backlog,Selected for Development,In Progress", the quoted values should be seen as one value, meaning that the CxFlow's JIRA open-status value in the previous example here should be unique "Backlog,Selected for Development,In Progress".

Actual Behavior

Currently and picking on the previous example, the quoted (single or double) strings are being split as multiple arguments to the CxFlow's java command running inside the container, meaning that --jira.open-status="Backlog,Selected for Development,In Progress" is actually interpreted as multiple arguments (4 in total for this example):

1. --jira.open-status="Backlog,Selected
2. for
3. Development,In
4. Progress"

The problem is in the ${CXFLOW_PARAMS} environment variable.
The ${CXFLOW_PARAMS} environment variable is resolved/expanded inside the docker_entrypoint.sh script on CxFlow's GitHub Action Docker container without being parsed first, making the whole command not properly evaluated or that environment variable and all the blank space split strings inside it matching 1 argument each instead of 1 argument for each enclosed string.

Reproduction

Adding a params: section to the GitHub Action with some parameters with quoted strings with spaces like above will trigger the issue.
In the example below, the issues will be in the parameter set as an example above and in the --jira.open-transition="In Progress" parameter:

• params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity=High --cx-flow.filter-category="SQL_Injection,SQL_Injection_via_Service" --jira.url=${{secrets.JIRA_URL}} --jira.username=${{secrets.JIRA_USER}} --jira.token=${{secrets.JIRA_TOKEN}} --jira.project=${{secrets.JIRA_PROJECT}} --jira.issue-type=Bug --jira.priorities.High=High --jira.priorities.Medium=Medium --jira.priorities.Low=Low --jira.priorities.Informational=Lowest --jira.open-transition="In Progress" --jira.close-transition=Done --jira.open-status="Backlog,Selected for Development,In Progress" --jira.closed-status=Done

Environment Details

CxFlow 1.6.24 in CLI mode, Windows 10.

Solution

A possible solution is to wrap the java command inside an environment variable and then execute it with the eval command.
The eval command below will parse the whole string first, making sure the quoted strings inside are read as 1 argument and not multiple ones.

This is an example of shell script code that might fix this inside the docker_entrypoint.sh file, using eval with the $EXEC_COMMAND executable string within single quotes allows for sanitizing possible command injections coming through any of the GitHub action parameter variables:

#!/bin/sh
EXEC_COMMAND='java -jar /app/cx-flow.jar --spring.profiles.active="${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}" --scan --github.api-url="${GITHUB_API_URL}/repos/" --cx-team="${TEAM}" --cx-project="${PROJECT}" --app="${APP}" --f=. ${CXFLOW_PARAMS}'
eval "$EXEC_COMMAND"

[cx-scord]

Hi, is there an ETA for this? @DhavalPatelPersistent is this being looked that?

[jbrotsos]

There is not an ETA.

Also, can the user use config as code instead?