From 7308d3dead239e294d84b5828bcac5a5be301327 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Youen=20P=C3=A9ron?= Date: Thu, 6 Feb 2025 19:53:56 +0000 Subject: [PATCH] fix(command): parse command ligne with shellwords --- CHANGELOG.md | 4 ++++ go.mod | 1 + go.sum | 2 ++ pkg/command/command.go | 11 ++++++++++- pkg/command/command_test.go | 10 ++++++++++ 5 files changed, 27 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e47a2f6b..2c7551d4 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,10 @@ Types of changes - `Fixed` for any bug fixes. - `Security` in case of vulnerabilities. +## [1.30.1] + +- `Fixed` mask `command` split command line on space protected by quote + ## [1.30.0] - `Added` mask `partitions` to handle fields containing different types of values by applying distinct transformations diff --git a/go.mod b/go.mod index cf744623..f7416586 100644 --- a/go.mod +++ b/go.mod @@ -52,6 +52,7 @@ require ( github.com/labstack/gommon v0.4.2 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-shellwords v1.0.12 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect diff --git a/go.sum b/go.sum index 31840e35..8fc90549 100644 --- a/go.sum +++ b/go.sum @@ -98,6 +98,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= +github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs= github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY= github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI= diff --git a/pkg/command/command.go b/pkg/command/command.go index f2f240c0..938a7e6f 100755 --- a/pkg/command/command.go +++ b/pkg/command/command.go @@ -18,11 +18,14 @@ package command import ( + "fmt" "os/exec" "strings" "github.com/cgi-fr/pimo/pkg/model" "github.com/rs/zerolog/log" + + "github.com/mattn/go-shellwords" ) // MaskEngine implements MaskEngine with a console command @@ -38,7 +41,13 @@ func NewMask(cmd string) MaskEngine { // Mask delegate mask algorithm to an external program func (cme MaskEngine) Mask(e model.Entry, context ...model.Dictionary) (model.Entry, error) { log.Info().Msg("Mask command") - splitCommand := strings.Split(cme.Cmd, " ") + line := cme.Cmd + parser := shellwords.NewParser() + parser.ParseEnv = true + splitCommand, err := parser.Parse(line) + if err != nil { + return "", fmt.Errorf("failed to parse command %w", err) + } /* #nosec */ out, err := exec.Command(splitCommand[0], splitCommand[1:]...).Output() diff --git a/pkg/command/command_test.go b/pkg/command/command_test.go index 8c912521..1609bcab 100755 --- a/pkg/command/command_test.go +++ b/pkg/command/command_test.go @@ -34,6 +34,16 @@ func TestMaskingShouldReplaceSensitiveValueByCommand(t *testing.T) { assert.Equal(t, waited, result, "should be Toto") } +func TestMaskingShouldPreserveSpaceInQuote(t *testing.T) { + nameProgramMasking := NewMask("echo \" Toto \" ") + data := "Benjamin" + result, err := nameProgramMasking.Mask(data) + assert.Equal(t, nil, err, "error should be nil") + waited := " Toto " + assert.NotEqual(t, data, result, "should be masked") + assert.Equal(t, waited, result, "should be Toto with space") +} + func TestMaskingShouldReturnAnErrorInCaseOfWrongCommand(t *testing.T) { nameCommandMasking := NewMask("WrongCommand")