M293/backport 5852 (#2406)

fhammerl · ruvceskistefan · web-flow · commit d42fd4aa9806 · 2023-01-30T16:58:56.000+01:00
* set env in ProcessInvoker sanitized (#2280) * set env in ProcessInvoker sanitized * Update release notes and runnerversion --------- Co-authored-by: Stefan Ruvceski <96768603+ruvceskistefan@users.noreply.github.com>
diff --git a/releaseNote.md b/releaseNote.md
@@ -1,6 +1,7 @@
 ## Features
 ## Bugs
 - Fixed an issue where container environment variables names or values could escape the docker command (#2108)
+- Sanitize Windows ENVs (#2280)
 
 ## Misc
 
diff --git a/src/Runner.Sdk/ProcessInvoker.cs b/src/Runner.Sdk/ProcessInvoker.cs
@@ -264,7 +264,17 @@ public async Task<int> ExecuteAsync(
             {
                 foreach (KeyValuePair<string, string> kvp in environment)
                 {
+#if OS_WINDOWS
+                    string tempKey = String.IsNullOrWhiteSpace(kvp.Key) ? kvp.Key : kvp.Key.Split('\0')[0];
+                    string tempValue = String.IsNullOrWhiteSpace(kvp.Value) ? kvp.Value : kvp.Value.Split('\0')[0];
+                    if(!String.IsNullOrWhiteSpace(tempKey))
+                    {
+                         _proc.StartInfo.Environment[tempKey] = tempValue;
+                    }
+#else
                     _proc.StartInfo.Environment[kvp.Key] = kvp.Value;
+
+#endif
                 }
             }
 
diff --git a/src/Test/L0/ProcessInvokerL0.cs b/src/Test/L0/ProcessInvokerL0.cs
@@ -129,7 +129,76 @@ public async Task SetCIEnv()
                 }
             }
         }
+#if OS_WINDOWS
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public async Task SetTestEnvWithNullInKey()
+        {
+            using (TestHostContext hc = new(this))
+            {
+                Tracing trace = hc.GetTrace();
+
+                Int32 exitCode = -1;
+                var processInvoker = new ProcessInvokerWrapper();
+                processInvoker.Initialize(hc);
+                var stdout = new List<string>();
+                var stderr = new List<string>();
+                processInvoker.OutputDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stdout.Add(e.Data);
+                };
+                processInvoker.ErrorDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stderr.Add(e.Data);
+                };
+
+                exitCode = await processInvoker.ExecuteAsync("", "cmd.exe", "/c \"echo %TEST%\"",  new Dictionary<string, string>() { { "TEST\0second", "first" } }, CancellationToken.None);
+
+
+                trace.Info("Exit Code: {0}", exitCode);
+                Assert.Equal(0, exitCode);
+                Assert.Equal("first", stdout.First(x => !string.IsNullOrWhiteSpace(x)));
+
+            }
+        }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Common")]
+        public async Task SetTestEnvWithNullInValue()
+        {
+            using (TestHostContext hc = new(this))
+            {
+                Tracing trace = hc.GetTrace();
+
+                Int32 exitCode = -1;
+                var processInvoker = new ProcessInvokerWrapper();
+                processInvoker.Initialize(hc);
+                var stdout = new List<string>();
+                var stderr = new List<string>();
+                processInvoker.OutputDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stdout.Add(e.Data);
+                };
+                processInvoker.ErrorDataReceived += (object sender, ProcessDataReceivedEventArgs e) =>
+                {
+                    trace.Info(e.Data);
+                    stderr.Add(e.Data);
+                };
+
+                exitCode = await processInvoker.ExecuteAsync("", "cmd.exe", "/c \"echo %TEST%\"",  new Dictionary<string, string>() { { "TEST", "first\0second" } }, CancellationToken.None);
+
+                trace.Info("Exit Code: {0}", exitCode);
+                Assert.Equal(0, exitCode);
+                Assert.Equal("first", stdout.First(x => !string.IsNullOrWhiteSpace(x)));
+
+            }
+        }
+#endif
         [Fact]
         [Trait("Level", "L0")]
         [Trait("Category", "Common")]
diff --git a/src/runnerversion b/src/runnerversion
@@ -1 +1 @@
-2.293.1
+2.293.2

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,17 @@ public async Task<int> ExecuteAsync(`
`264`	`264`	`{`
`265`	`265`	`foreach (KeyValuePair<string, string> kvp in environment)`
`266`	`266`	`{`
	`267`	`+#if OS_WINDOWS`
	`268`	`+ string tempKey = String.IsNullOrWhiteSpace(kvp.Key) ? kvp.Key : kvp.Key.Split('\0')[0];`
	`269`	`+ string tempValue = String.IsNullOrWhiteSpace(kvp.Value) ? kvp.Value : kvp.Value.Split('\0')[0];`
	`270`	`+ if(!String.IsNullOrWhiteSpace(tempKey))`
	`271`	`+ {`
	`272`	`+ _proc.StartInfo.Environment[tempKey] = tempValue;`
	`273`	`+ }`
	`274`	`+#else`
`267`	`275`	`_proc.StartInfo.Environment[kvp.Key] = kvp.Value;`
	`276`	`+`
	`277`	`+#endif`
`268`	`278`	`}`
`269`	`279`	`}`
`270`	`280`