codecov · drazisil · Feb 22, 2020 · Feb 19, 2020
diff --git a/codecov/__init__.py b/codecov/__init__.py
@@ -34,6 +34,10 @@
 
 remove_token = re.compile(r'token=[^\&]+').sub
 
+def sanitize_arg(replacement, arg):
+    return re.sub(r'[\&]+', replacement, arg, 0, re.MULTILINE)
+
+
 ignored_path = re.compile(r'(/vendor)|'
                           r'(/js/generated/coverage)|'
                           r'(/__pycache__)|'
@@ -624,11 +628,11 @@ def main(*argv, **kwargs):
             )
             write('==> Processing gcov (disable by -X gcov)')
             cmd = "find %s %s -type f -name '*.gcno' %s -exec %s -pb %s {} +" % (
-                  (codecov.gcov_root or root),
+                  (sanitize_arg('', codecov.gcov_root or root)),
                   dont_search_here,
                   " ".join(map(lambda a: "-not -path '%s'" % a, codecov.gcov_glob)),
-                  (codecov.gcov_exec or ''),
-                  (codecov.gcov_args or ''))
+                  (sanitize_arg('', codecov.gcov_exec or '')),
+                  (sanitize_arg('', codecov.gcov_args or '')))
             write('    Executing gcov (%s)' % cmd)
             try_to_run(cmd)
 

diff --git a/tests/test.py b/tests/test.py
@@ -315,6 +315,9 @@ def test_none_found(self):
         else:
             raise Exception("Did not raise AssertionError")
 
+    def test_sanitize_arg(self):
+        self.assertEqual(codecov.sanitize_arg('', '& echo test > vuln1.txt'), ' echo test > vuln1.txt')
+
     @unittest.skipUnless(os.getenv('JENKINS_URL'), 'Skip Jenkins CI test')
     def test_ci_jenkins(self):
         self.set_env(BUILD_URL='https://....',