CGI-FR · adrienaury · Feb 7, 2025 · Feb 6, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,10 @@ Types of changes
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+## [1.30.1]
+
+- `Fixed` mask `command` split command line on space protected by quote
+
 ## [1.30.0]
 
 - `Added` mask `partitions` to handle fields containing different types of values by applying distinct transformations

diff --git a/go.mod b/go.mod
@@ -52,6 +52,7 @@ require (
 	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-shellwords v1.0.12
 	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
 	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect

diff --git a/go.sum b/go.sum
@@ -98,6 +98,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
+github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI=

diff --git a/pkg/command/command.go b/pkg/command/command.go
@@ -18,11 +18,14 @@
 package command
 
 import (
+	"fmt"
 	"os/exec"
 	"strings"
 
 	"github.com/cgi-fr/pimo/pkg/model"
 	"github.com/rs/zerolog/log"
+
+	"github.com/mattn/go-shellwords"
 )
 
 // MaskEngine implements MaskEngine with a console command
@@ -38,7 +41,13 @@ func NewMask(cmd string) MaskEngine {
 // Mask delegate mask algorithm to an external program
 func (cme MaskEngine) Mask(e model.Entry, context ...model.Dictionary) (model.Entry, error) {
 	log.Info().Msg("Mask command")
-	splitCommand := strings.Split(cme.Cmd, " ")
+	line := cme.Cmd
+	parser := shellwords.NewParser()
+	parser.ParseEnv = true
+	splitCommand, err := parser.Parse(line)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse command %w", err)
+	}
 	/* #nosec */
 	out, err := exec.Command(splitCommand[0], splitCommand[1:]...).Output()
 

diff --git a/pkg/command/command_test.go b/pkg/command/command_test.go
@@ -34,6 +34,16 @@ func TestMaskingShouldReplaceSensitiveValueByCommand(t *testing.T) {
 	assert.Equal(t, waited, result, "should be Toto")
 }
 
+func TestMaskingShouldPreserveSpaceInQuote(t *testing.T) {
+	nameProgramMasking := NewMask("echo \" Toto  \" ")
+	data := "Benjamin"
+	result, err := nameProgramMasking.Mask(data)
+	assert.Equal(t, nil, err, "error should be nil")
+	waited := " Toto  "
+	assert.NotEqual(t, data, result, "should be masked")
+	assert.Equal(t, waited, result, "should be Toto with space")
+}
+
 func TestMaskingShouldReturnAnErrorInCaseOfWrongCommand(t *testing.T) {
 	nameCommandMasking := NewMask("WrongCommand")