fix: command injection vulnerability

due to missing quoting, command injection was possible via pipeline configuration. This is now fixed using a quoting and escaping utility.
SAP · Oct 24, 2024 · 71990b1 · 71990b1
1 parent 4990b2d
commit 71990b1
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/vars/testsPublishResults.groovy b/vars/testsPublishResults.groovy
@@ -1,4 +1,6 @@
 import static com.sap.piper.Prerequisites.checkScript
+// test
+import static com.sap.piper.BashUtils.quoteAndEscape as q
 
 import com.sap.piper.GenerateDocumentation
 import com.sap.piper.ConfigurationHelper
@@ -193,7 +195,7 @@ void touchFiles(pattern){
     echo "[${STEP_NAME}] update test results"
     def patternArray = pattern.split(',')
     for(def i = 0; i < patternArray.length; i++){
-        sh "find . -wholename '${patternArray[i].trim()}' -exec touch {} \\;"
+        sh "find . -wholename ${q(patternArray[i].trim())} -exec touch {} \\;"
     }
 }