Skip to content
This repository was archived by the owner on May 21, 2025. It is now read-only.

Commit b2951c0

Browse files
authored
Merge pull request #231 from codecov/ce-1380
CE-1380 Sanitize args
2 parents 73b1b13 + 2a80aa4 commit b2951c0

File tree

2 files changed

+10
-3
lines changed

2 files changed

+10
-3
lines changed

codecov/__init__.py

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,10 @@
3434

3535
remove_token = re.compile(r'token=[^\&]+').sub
3636

37+
def sanitize_arg(replacement, arg):
38+
return re.sub(r'[\&]+', replacement, arg, 0, re.MULTILINE)
39+
40+
3741
ignored_path = re.compile(r'(/vendor)|'
3842
r'(/js/generated/coverage)|'
3943
r'(/__pycache__)|'
@@ -624,11 +628,11 @@ def main(*argv, **kwargs):
624628
)
625629
write('==> Processing gcov (disable by -X gcov)')
626630
cmd = "find %s %s -type f -name '*.gcno' %s -exec %s -pb %s {} +" % (
627-
(codecov.gcov_root or root),
631+
(sanitize_arg('', codecov.gcov_root or root)),
628632
dont_search_here,
629633
" ".join(map(lambda a: "-not -path '%s'" % a, codecov.gcov_glob)),
630-
(codecov.gcov_exec or ''),
631-
(codecov.gcov_args or ''))
634+
(sanitize_arg('', codecov.gcov_exec or '')),
635+
(sanitize_arg('', codecov.gcov_args or '')))
632636
write(' Executing gcov (%s)' % cmd)
633637
try_to_run(cmd)
634638

tests/test.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,9 @@ def test_none_found(self):
315315
else:
316316
raise Exception("Did not raise AssertionError")
317317

318+
def test_sanitize_arg(self):
319+
self.assertEqual(codecov.sanitize_arg('', '& echo test > vuln1.txt'), ' echo test > vuln1.txt')
320+
318321
@unittest.skipUnless(os.getenv('JENKINS_URL'), 'Skip Jenkins CI test')
319322
def test_ci_jenkins(self):
320323
self.set_env(BUILD_URL='https://....',

0 commit comments

Comments
 (0)