SQSCANGHA-55 Add curl redirect and fix splatting of URL with special chars

Author: antonioaversa

.github/qa-nginx-redirecting/compose.yml

@@ -0,0 +1,13 @@
+services:
+  https-proxy:
+    image: nginx
+    ports:
+      - 8080:8080
+    volumes:
+      - $GITHUB_WORKSPACE/.github/qa-nginx-redirecting/nginx.conf:/etc/nginx/nginx.conf:ro
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "localhost:8080/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 20
+      start_period: 2m

.github/qa-nginx-redirecting/nginx.conf

@@ -0,0 +1,32 @@
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile on;
+
+    keepalive_timeout 65;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen 8080;
+
+        location /health {
+            add_header 'Content-Type' 'text/plain';
+            return 200 "healthy\n";
+        }
+
+        location ~ /clientRedirectToSonarBinaries/(.*) {
+            return 301 "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/$1";
+        }
+    }
+}

.github/qa-sq-behind-ngix/nginx.conf

@@ -2,7 +2,6 @@ user nginx;
 worker_processes auto;
 
 error_log /var/log/nginx/error.log notice;
-pid       /var/run/nginx.pid;
 
 events {
     worker_connections  1024;
@@ -12,12 +11,6 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
     sendfile on;
 
     keepalive_timeout 65;
@@ -28,7 +21,6 @@ http {
         listen 8080;
 
         location /health {
-            access_log off;
             add_header 'Content-Type' 'text/plain';
             return 200 "healthy\n";
         }
@@ -40,9 +32,6 @@ http {
         ssl_protocols TLSv1.1 TLSv1.2;
         ssl_certificate /etc/nginx/server.crt;
         ssl_certificate_key /etc/nginx/server.key;
-        
-        access_log /var/log/nginx/localhost;
-        error_log /var/log/nginx/localhost.error debug;
 
         location / {
             proxy_pass http://sonarqube:9000;

.github/workflows/qa.yml

@@ -116,6 +116,56 @@ jobs:
       - name: Assert Sonar Scanner CLI was not executed
         run: |
           ./test/assertFileDoesntExist ./output.properties
+  scannerBinariesUrlIsEscapedWithWget:
+    name: >
+      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with scannerBinariesUrl
+        id: runTest
+        uses: ./
+        continue-on-error: true
+        with:
+          scannerBinariesUrl: 'http://some_uri;touch file.txt;'
+        env:
+          NO_CACHE: true
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
+      - name: Assert file.txt does not exist
+        run: |
+          ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
+  scannerBinariesUrlIsEscapedWithCurl:
+    name: >
+      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
+      - name: Run action with scannerBinariesUrl
+        id: runTest
+        uses: ./
+        continue-on-error: true
+        with:
+          scannerBinariesUrl: 'http://some_uri http://another_uri''; touch file.txt;'
+        env:
+          NO_CACHE: true
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
+      - name: Assert file.txt does not exist
+        run: |
+          ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
   dontFailGradleTest:
     name: >
       Don't fail on Gradle project
@@ -376,6 +426,37 @@ jobs:
       - name: Assert failure of previous step
         if: steps.runTest.outcome == 'success'
         run: exit 1
+  curlPerformsRedirect:
+    name: >
+      curl performs redirect when scannerBinariesUrl returns 3xx
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
+      - name: Start nginx via Docker Compose
+        run: docker compose up -d --wait
+        working-directory: .github/qa-nginx-redirecting
+      - name: Run action with scannerBinariesUrl
+        id: runTest
+        uses: ./
+        with:
+          scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries
+        env:
+          NO_CACHE: true
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
+      - name: Assert Sonar Scanner CLI was downloaded
+        run: |
+          ./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip"
   useSslCertificate:
     name: >
       'SONAR_ROOT_CERT' is converted to truststore

install-sonar-scanner-cli.sh

@@ -23,33 +23,29 @@ else
      exit 1
 fi
 
+set -x
+
+mkdir -p $RUNNER_TEMP/sonarscanner
+cd $RUNNER_TEMP/sonarscanner
+
 SCANNER_FILE_NAME="sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip"
 SCANNER_URI="${INPUT_SCANNERBINARIESURL%/}/$SCANNER_FILE_NAME"
 
 if command -v wget &> /dev/null; then
-    DOWNLOAD_COMMAND="wget"
-    DOWNLOAD_ARGS="--no-verbose --user-agent=sonarqube-scan-action $SCANNER_URI"
+    wget --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
 elif command -v curl &> /dev/null; then
-    DOWNLOAD_COMMAND="curl"
-    DOWNLOAD_ARGS="--silent --show-error --user-agent sonarqube-scan-action --output $SCANNER_FILE_NAME $SCANNER_URI"
+    curl --fail --silent --show-error --user-agent sonarqube-scan-action \
+         --location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
 elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\wget.exe" ]; then
-    DOWNLOAD_COMMAND="C:\\msys64\\usr\\bin\\wget.exe"
-    DOWNLOAD_ARGS="--no-verbose --user-agent=sonarqube-scan-action $SCANNER_URI"
+    "C:\\msys64\\usr\\bin\\wget.exe" --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
 elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\curl.exe" ]; then
-    DOWNLOAD_COMMAND="C:\\msys64\\usr\\bin\\curl.exe"
-    DOWNLOAD_ARGS="--silent --show-error --user-agent sonarqube-scan-action --output $SCANNER_FILE_NAME $SCANNER_URI"
+    "C:\\msys64\\usr\\bin\\curl.exe" --fail --silent --show-error --user-agent sonarqube-scan-action \
+         --location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
 else
     echo "::error title=SonarScanner::Neither wget nor curl found on the machine"
     exit 1
 fi
 
-set -x
-
-mkdir -p $RUNNER_TEMP/sonarscanner
-cd $RUNNER_TEMP/sonarscanner
-
-$DOWNLOAD_COMMAND $DOWNLOAD_ARGS
-
 unzip -q $SCANNER_FILE_NAME
 
 # Folder name should correspond to the directory cached by the actions/cache