runatlantis
Comment args lose quotes
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
When I pass arguments to atlantis that contain double quotes ("), the quotes are stripped from the command passed to terraform.
Reproduction Steps
• Use a workflow config like:
workflows:
workflow:
plan:
steps:
- run: terraform-wrapper.sh plan -out $PLANFILE
The terraform-wrapper.sh script more or less does some application-specific setup and eventually calls terraform with the $@ args and $COMMENT_ARGS.
- Trigger atlantis and pass args containing a quote
atlantis plan -p myproject -- -target some.terraform.resource.id.with["quotes"]
Logs
I don't see any messages worth including besides this one:
{"level":"info","ts":"2022-03-23T23:41:02.574Z","caller":"events/events_controller.go:417","msg":"parsed comment as command=\"plan\" verbose=false dir=\"\" workspace=\"\" project=\"myproject\" flags=\"-target,some.terraform.resource.id.with[quotes]\"","json":{}}
As you can see, the quotes have been removed. Since issue tracker comment fields aren't some kind of shell interpreter, I don't see why the quote would be removed.
It works if the reply comment is single-quoted:
atlantis plan -p myproject -- -target 'some.terraform.resource.id.with["quotes"]'
But it is of course user-unfriendly and inconvenient to need to remember to put quotes around certain bits of my comment.
Environment details
- Atlantis version: 0.19.2
- Atlantis flags: None besides
Atlantis server-side config file:
repos:
- id: github.com/org/reponame
apply_requirements: [approved, mergeable]
allowed_overrides: [workflow]
allowed_workflows: [workflow, workflow2, workflow3]
allow_custom_workflows: false
Repo atlantis.yaml file:
version: 3
port: 8080
automerge: true
repo-whitelist: <censored>
atlantis-url: <censored>
log-level: debug
write-git-creds: true
hide-prev-plan-comments: true
allow-draft-prs: true
enable-diff-markdown-format: true
I'm not sure how much can actually be done here, some of this is a GitHub thing.
I had used the single-quote workaround generally, but recently used \ escapes on the quotes instead:
atlantis plan -p myproject -- -target some.terraform.resource.id.with[\"quotes\"]
and that also worked. However, in the displayed comment, the backslashes were not visible after I clicked the Comment button, but if I went to edit that comment, then I could see the backslashes (are they interpreted as Markdown escapes? – you can also see this behavior if you go to the Preview tab of the comment).
If there were some way that Atlantis could edit the user's comment and put it into a code block for reliable copy-paste of the command, that would be great (but I suspect it isn't possible).
On a more serious note, if the double quotes are being eaten by a shell, there may be a security vulnerability.
In Azure DevOps the following solution works to properly parse the COMMENT_ARGS variable:
TF_CLI_ARGS=($(echo $COMMENT_ARGS | tr ',' ' ' | sed -r 's/\\(.)/\1/g' | sed "s/'/'/g" | sed "s/"/\"/g"))
...and then call like:
COMMAND=("${TF_BINARY}" "plan" "-input=false" "-no-color" "-out" "${PLANFILE_NAME}" "${TF_CLI_ARGS[@]}")
(this resolves both single and double quote issues)
