fix: add double quote around curl args

cerberauth · Jan 2, 2025 · 381e99c · 381e99c
1 parent e139efd
commit 381e99c
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 24 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -75,16 +75,17 @@ jobs:
         run: |
           docker run -d -p 8080:8080 ${{ env.DOCKER_IMAGE }}
           sleep 5
+          curl --verbose http://localhost:8080
           curl --verbose http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
 
-      - name: Test CURL Local Action
+      - name: Test cURL Local Action
         uses: ./
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           scans: jwt.*
           curl: |
-            curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
+            http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
 
       - name: Check for vulnerabilities
         if: ${{ success() }}
@@ -139,14 +140,24 @@ jobs:
           sleep 5
           curl --verbose http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
 
-      - name: Test cURL Local Action
+      - name: Test cURL Local Action with rate limit and excluded scans
+        uses: ./
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          rateLimit: 1000/s
+          excludeScans: discover.*
+          curl: |
+            http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
+
+      - name: Test cURL Local Action with selected scans
         uses: ./
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           scans: jwt.*
           curl: |
-            curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
+            http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
 
       - name: Test cURL Local Action without Telemetry
         uses: ./
@@ -155,7 +166,7 @@ jobs:
         with:
           scans: jwt.*
           curl: |
-            curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
+            http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
           telemetry: false
 
       # - name: Test OpenAPI Local Action

diff --git a/action.yml b/action.yml
@@ -32,7 +32,6 @@ inputs:
   rateLimit:
     description: 'The rate limit used to run API vulnerability scans'
     required: false
-    default: 10/s
 
   telemetry:
     description:

diff --git a/badges/coverage.svg b/badges/coverage.svg
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/main.js b/src/main.js
@@ -6,16 +6,17 @@ const { installVersion } = require('./installer')
 
 function getArgsFromInput(input) {
   const inputArgs = parseArgs(input)
+  debug(`Parsed input args: ${JSON.stringify(inputArgs)}`)
   return Object.entries(inputArgs).flatMap(([key, value]) => {
     if (key === '_') {
       return value
     }
 
     if (key.length === 1) {
-      return `-${key} ${value}`
+      return `-${key} "${value}"`
     }
 
-    return `--${key}=${value}`
+    return `--${key}="${value}"`
   })
 }
 
@@ -34,17 +35,17 @@ function getCommonArgs() {
 
   const scans = getInput('scans')
   if (scans) {
-    commonArgs.push(`--scans=${scans}`)
+    commonArgs.push(`--scans="${scans}"`)
   }
 
   const excludeScans = getInput('excludeScans')
   if (excludeScans) {
-    commonArgs.push(`--exclude-scans=${excludeScans}`)
+    commonArgs.push(`--exclude-scans="${excludeScans}"`)
   }
 
   const proxy = getInput('proxy')
   if (proxy) {
-    commonArgs.push(`--proxy=${proxy}`)
+    commonArgs.push(`--proxy="${proxy}"`)
   }
 
   const severityThreshold = getInput('severityThreshold')
@@ -74,11 +75,13 @@ async function run() {
       debug(`Parsing curl input: ${curl}`)
       const args = getArgsFromInput(curl.replace('curl ', ''))
 
-      debug(`Running vulnapi scan with curl: ${JSON.stringify(args)}`)
-      await exec('vulnapi scan curl', [...args, ...commonArgs])
+      debug(
+        `Running vulnapi scan with curl: ${JSON.stringify(args)} ${JSON.stringify(commonArgs)}`
+      )
+      await exec('vulnapi', ['scan', 'curl', ...args, ...commonArgs])
     } else if (openapi) {
       debug(`Running vulnapi scan with openapi: ${openapi}`)
-      await exec('vulnapi scan openapi', [openapi, ...commonArgs])
+      await exec('vulnapi', ['scan', 'openapi', openapi, ...commonArgs])
     } else {
       setFailed('You must provide curl or openapi input')
     }