devtron-labs · Ash-exp · Dec 18, 2023 · Dec 19, 2023 · Dec 19, 2023 · Dec 19, 2023
diff --git a/helper/DockerHelper.go b/helper/DockerHelper.go
@@ -171,7 +171,7 @@ func DockerLogin(dockerCredentials *DockerCredentials) error {
 			pwd = pwd[:len(pwd)-1]
 		}
 	}
-	dockerLogin := fmt.Sprintf("docker login -u '%s' -p '%s' '%s' ", username, pwd, dockerCredentials.DockerRegistryURL)
+	dockerLogin := fmt.Sprintf("docker login -u %q -p %q %q", username, pwd, dockerCredentials.DockerRegistryURL)
 	awsLoginCmd := exec.Command("/bin/sh", "-c", dockerLogin)
 	err := util.RunCommand(awsLoginCmd)
 	if err != nil {
@@ -228,28 +228,28 @@ func BuildArtifact(ciRequest *CommonWorkflowRequest) (string, error) {
 				dockerBuild = dockerBuildxBuild + " "
 			}
 			if isTargetPlatformSet {
-				dockerBuild += "--platform " + dockerBuildConfig.TargetPlatform + " "
+				dockerBuild += fmt.Sprintf("--platform %q ", dockerBuildConfig.TargetPlatform)
 			}
 		}
 		dockerBuildFlags := make(map[string]string)
 		dockerBuildArgsMap := dockerBuildConfig.Args
 		for k, v := range dockerBuildArgsMap {
-			flagKey := fmt.Sprintf("%s %s", BUILD_ARG_FLAG, k)
+			flagKey := fmt.Sprintf("%s %q", BUILD_ARG_FLAG, strings.TrimSpace(k))
 			if strings.HasPrefix(v, DEVTRON_ENV_VAR_PREFIX) {
 				valueFromEnv := os.Getenv(strings.TrimPrefix(v, DEVTRON_ENV_VAR_PREFIX))
-				dockerBuildFlags[flagKey] = fmt.Sprintf("=\"%s\"", valueFromEnv)
+				dockerBuildFlags[flagKey] = fmt.Sprintf("=\"%s\"", strings.TrimSpace(valueFromEnv))
 			} else {
-				dockerBuildFlags[flagKey] = fmt.Sprintf("=%s", v)
+				dockerBuildFlags[flagKey] = fmt.Sprintf("=%s", strings.TrimSpace(v))
 			}
 		}
 		dockerBuildOptionsMap := dockerBuildConfig.DockerBuildOptions
 		for k, v := range dockerBuildOptionsMap {
-			flagKey := "--" + k
+			flagKey := "--" + strings.TrimSpace(k)
 			if strings.HasPrefix(v, DEVTRON_ENV_VAR_PREFIX) {
 				valueFromEnv := os.Getenv(strings.TrimPrefix(v, DEVTRON_ENV_VAR_PREFIX))
-				dockerBuildFlags[flagKey] = fmt.Sprintf("=%s", valueFromEnv)
+				dockerBuildFlags[flagKey] = fmt.Sprintf("=%s", strings.TrimSpace(valueFromEnv))
 			} else {
-				dockerBuildFlags[flagKey] = fmt.Sprintf("=%s", v)
+				dockerBuildFlags[flagKey] = fmt.Sprintf("=%s", strings.TrimSpace(v))
 			}
 		}
 		for key, value := range dockerBuildFlags {
@@ -295,7 +295,7 @@ func BuildArtifact(ciRequest *CommonWorkflowRequest) (string, error) {
 
 			dockerBuild = getBuildxBuildCommand(cacheEnabled, dockerBuild, oldCacheBuildxPath, localCachePath, dest, dockerBuildConfig)
 		} else {
-			dockerBuild = fmt.Sprintf("%s -f %s --network host -t %s %s", dockerBuild, dockerBuildConfig.DockerfilePath, ciRequest.DockerRepository, dockerBuildConfig.BuildContext)
+			dockerBuild = fmt.Sprintf("%s -f %q --network host -t %q %s", dockerBuild, dockerBuildConfig.DockerfilePath, ciRequest.DockerRepository, dockerBuildConfig.BuildContext)
 		}
 		if envVars.ShowDockerBuildCmdInLogs {
 			log.Println("Starting docker build : ", dockerBuild)
@@ -355,9 +355,9 @@ func BuildArtifact(ciRequest *CommonWorkflowRequest) (string, error) {
 }
 
 func getBuildxBuildCommand(cacheEnabled bool, dockerBuild, oldCacheBuildxPath, localCachePath, dest string, dockerBuildConfig *DockerBuildConfig) string {
-	dockerBuild = fmt.Sprintf("%s -f %s -t %s --push %s --network host --allow network.host --allow security.insecure", dockerBuild, dockerBuildConfig.DockerfilePath, dest, dockerBuildConfig.BuildContext)
+	dockerBuild = fmt.Sprintf("%s -f %q -t %q --push %q --network host --allow network.host --allow security.insecure", dockerBuild, dockerBuildConfig.DockerfilePath, dest, dockerBuildConfig.BuildContext)
 	if cacheEnabled {
-		dockerBuild = fmt.Sprintf("%s --cache-to=type=local,dest=%s,mode=max --cache-from=type=local,src=%s", dockerBuild, localCachePath, oldCacheBuildxPath)
+		dockerBuild = fmt.Sprintf("%s --cache-to=type=local,dest=%q,mode=max --cache-from=type=local,src=%s", dockerBuild, localCachePath, oldCacheBuildxPath)
 	}
 
 	provenanceFlag := dockerBuildConfig.GetProvenanceFlag()
@@ -455,7 +455,7 @@ func executeCmd(dockerBuild string) error {
 }
 
 func tagDockerBuild(dockerRepository string, dest string) error {
-	dockerTag := "docker tag " + dockerRepository + ":latest" + " " + dest
+	dockerTag := fmt.Sprintf("docker tag %q:latest %q", dockerRepository, dest)
 	log.Println(" -----> " + dockerTag)
 	dockerTagCMD := exec.Command("/bin/sh", "-c", dockerTag)
 	err := util.RunCommand(dockerTagCMD)
@@ -547,7 +547,7 @@ func BuildDockerImagePath(ciRequest *CommonWorkflowRequest) (string, error) {
 
 func PushArtifact(dest string) error {
 	//awsLogin := "$(aws ecr get-login --no-include-email --region " + ciRequest.AwsRegion + ")"
-	dockerPush := "docker push " + dest
+	dockerPush := fmt.Sprintf("docker push %q", dest)
 	log.Println("-----> " + dockerPush)
 	dockerPushCMD := exec.Command("/bin/sh", "-c", dockerPush)
 	err := util.RunCommand(dockerPushCMD)
@@ -581,7 +581,7 @@ func ExtractDigestForBuildx(dest string) (string, error) {
 }
 
 func ExtractDigestUsingPull(dest string) (string, error) {
-	dockerPull := "docker pull " + dest
+	dockerPull := fmt.Sprintf("docker pull %q", dest)
 	dockerPullCmd := exec.Command("/bin/sh", "-c", dockerPull)
 	digest, err := runGetDockerImageDigest(dockerPullCmd)
 	if err != nil {

diff --git a/helper/GitCliHelper.go b/helper/GitCliHelper.go
@@ -39,8 +39,8 @@ func (impl *GitUtil) Checkout(rootDir string, checkout string) (response, errMsg
 func (impl *GitUtil) runCommandWithCred(cmd *exec.Cmd, userName, password string) (response, errMsg string, err error) {
 	cmd.Env = append(os.Environ(),
 		fmt.Sprintf("GIT_ASKPASS=%s", GIT_AKS_PASS),
-		fmt.Sprintf("GIT_USERNAME=%s", userName), // ignored
-		fmt.Sprintf("GIT_PASSWORD=%s", password), // this value is used
+		fmt.Sprintf("GIT_USERNAME=%q", userName), // ignored; %q is used intentionally to sanitise the username
+		fmt.Sprintf("GIT_PASSWORD=%q", password), // this value is used; %q is used intentionally to sanitise the password
 	)
 	return impl.runCommand(cmd)
 }
@@ -102,7 +102,7 @@ func (impl *GitUtil) Clone(gitContext GitContext, rootDir string, remoteUrl stri
 // setting user.name and user.email as for non-fast-forward merge, git ask for user.name and email
 func (impl *GitUtil) Merge(rootDir string, commit string) (response, errMsg string, err error) {
 	log.Println(util.DEVTRON, "git merge ", "location", rootDir)
-	command := "cd " + rootDir + " && git config user.email git@devtron.com && git config user.name Devtron && git merge " + commit + " --no-commit"
+	command := fmt.Sprintf("cd %q && git config user.email git@devtron.com && git config user.name Devtron && git merge %q --no-commit", rootDir, commit)
 	cmd := exec.Command("/bin/sh", "-c", command)
 	output, errMsg, err := impl.runCommand(cmd)
 	log.Println(util.DEVTRON, "merge output", "root", rootDir, "opt", output, "errMsg", errMsg, "error", err)