danielfn
September 1, 2025, 6:47am
18
IMHO there is no point in not disclosing this right away when it’s already in plain sight:
master ← task/abozhinoska/SQSCANGHA-101/add-input-injection-tests
opened 01:11PM - 21 Aug 25 UTC
[SQSCANGHA-101](https://sonarsource.atlassian.net/browse/SQSCANGHA-101)
Ple… ase be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing:
- [ ] Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
- [ ] Make sure any code you changed is covered by tests
- [ ] If there is a [JIRA](http://jira.sonarsource.com/browse/SONAR) ticket available, please make your commits and pull request start with the ticket ID (SONAR-XXXX)
We will try to give you feedback on your contribution as quickly as possible.
Thank You!
The SonarSource Team
[SQSCANGHA-101]: https://sonarsource.atlassian.net/browse/SQSCANGHA-101?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
There are even test cases in the repo that show exactly how to exploit the vulnerability: a potential command injection caused by unsanitized arguments.
backtickCommandInjectionTest:
name: >
'args' input with backticks injection does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: >
-Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5=" `whoami` " -Dsonar.arg6="test\`echo injection\`test"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
show original
Since this is an open-source repository, a bad actor could figure out the vulnerability in minutes. In this case, withholding information does more harm than good by not being completely transparent with customers from the start.
4 Likes