go.mod: go get github.com/mattn/go-shellwords@v1.0.12

We use this library only for interpreting the "TF_CLI_ARG_..." environment variables as additional command line arguments, so the potential impact of this is very limited. The upstream changes here expand on the supported dynamic behavior around backtick command execution and nested environment variable expansion. We don't use either of those features, but just to make sure I changed the code to force them off (since otherwise another package in the program could change the package's global configuration) and added test cases that will fail if they end up turned on.
2026-02-05 06:46:14 +01:00 · 2024-03-13 10:20:23 -07:00
parent 61a5c1f57b
commit 48df3121af
4 changed files with 36 additions and 14 deletions
--- a/go.mod
+++ b/go.mod
@@ -50,7 +50,7 @@ require (
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0
 	github.com/masterzen/winrm v0.0.0-20200615185753-c42b5136ff88
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-shellwords v1.0.4
+	github.com/mattn/go-shellwords v1.0.12
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/go-linereader v0.0.0-20190213213312-1b945b3263eb
--- a/go.sum
+++ b/go.sum
@@ -832,8 +832,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-shellwords v1.0.4 h1:xmZZyxuP+bYKAKkA9ABYXVNJ+G/Wf3R8d8vAP3LDJJk=
-github.com/mattn/go-shellwords v1.0.4/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
+github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
+github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mergestat/timediff v0.0.3 h1:ucCNh4/ZrTPjFZ081PccNbhx9spymCJkFxSzgVuPU+Y=
 github.com/mergestat/timediff v0.0.3/go.mod h1:yvMUaRu2oetc+9IbPLYBJviz6sA7xz8OXMDfhBl7YSI=
--- a/main.go
+++ b/main.go
@@ -359,8 +359,13 @@ func mergeEnvArgs(envName string, cmd string, args []string) ([]string, error) {
 		return args, nil
 	}

+	swParser := &shellwords.Parser{
+		ParseEnv:      false,
+		ParseBacktick: false,
+	}
+
 	log.Printf("[INFO] %s value: %q", envName, v)
-	extra, err := shellwords.Parse(v)
+	extra, err := swParser.Parse(v)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"Error parsing extra CLI args from %s: %s",
--- a/main_test.go
+++ b/main_test.go
@@ -34,7 +34,7 @@ func TestMain_cliArgsFromEnv(t *testing.T) {
 	cases := []struct {
 		Name     string
 		Args     []string
-		Value    string
+		EnvValue string
 		Expected []string
 		Err      bool
 	}{
@@ -111,19 +111,36 @@ func TestMain_cliArgsFromEnv(t *testing.T) {
 			[]string{"-foo", "'bar baz'", "foo"},
 			false,
 		},
+
+		{
+			"backticks taken literally",
+			// The shellwords library we use to parse the environment variables
+			// has the option to automatically execute commands written in
+			// backticks. This test is here to make sure we don't accidentally
+			// enable that.
+			[]string{testCommandName, "foo"},
+			"-foo `echo nope`",
+			[]string{"-foo", "`echo nope`", "foo"},
+			false,
+		},
+
+		{
+			"no nested environment variable expansion",
+			// The shellwords library we use to parse the environment variables
+			// has the option to automatically expand sequences that appear
+			// to be environment variable interpolations. This test is here to
+			// make sure we don't accidentally enable that.
+			[]string{testCommandName, "foo"},
+			"-foo $OTHER_ENV",
+			[]string{"-foo", "$OTHER_ENV", "foo"},
+			false,
+		},
 	}

 	for i, tc := range cases {
 		t.Run(fmt.Sprintf("%d-%s", i, tc.Name), func(t *testing.T) {
-			os.Unsetenv(EnvCLI)
-			defer os.Unsetenv(EnvCLI)
-
-			// Set the env var value
-			if tc.Value != "" {
-				if err := os.Setenv(EnvCLI, tc.Value); err != nil {
-					t.Fatalf("err: %s", err)
-				}
-			}
+			t.Setenv(EnvCLI, tc.EnvValue)
+			t.Setenv("OTHER_ENV", "placeholder")

 			// Set up the args
 			args := make([]string, len(tc.Args)+1)