Open
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
GitHub team names can include spaces. The Atlantis Go code passes the team names unquoted to the external authz shell script without them, breaking any ACLs you might write in the script since a team like "My Team" will be passed as separate arguments "My" and "Team".
Also, if a user has multiple teams, there appears to be additional breakage, but I can't figure out what's going on.
To fix the quoting issue, this might be a workable solution for server/events/external_team_allowlist_checker.go:
func (checker *ExternalTeamAllowlistChecker) buildCommandString(ctx models.TeamAllowlistCheckerContext, teams []string, command string) string {
cmdArr := append([]string{checker.Command}, checker.ExtraArgs...)
orgTeams := make([]string, len(teams))
for i, team := range teams {
// Properly quote the team name
orgTeams[i] = fmt.Sprintf("%q", fmt.Sprintf("%s/%s", ctx.BaseRepo.Owner, team))
}
teamStr := strings.Join(orgTeams, " ")
return strings.Join(append(cmdArr, command, ctx.BaseRepo.FullName, teamStr), " ")
}