Replace SAST ENV parsing to use AWK for multiline env variables
What does this MR do?
Related to #209333 (closed), multi-line variables that contain =
and quotes seem to break the parsing in some cases, ending up with an incorrect string, see this job as an example or the issue description (current working job after manually using this fix).
Since parsing multi-line variables purely in sh with the use of sed/tr seems quite fragile as I've mentioned in this comment in the issue, and we really only need the variable names, I'm proposing to use AWK's ENVIRON implementation.
We rely on the docker image here - which is based on alpine which.. uses busybox. BusyBox's AWK implementation uses ENVIRON directly as **environ
from unistd.h, which should be safer.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team