JSON build-args are not properly escaped

[ruslandoga]

👋

Behaviour

For a Dockerfile like

FROM alpine:3.16.3

ARG BUILD_INFO
ENV BUILD_INFO=$BUILD_INFO

and a workflow like

# ...
- id: meta
  uses: docker/metadata-action@v4
  with
    # ...

- uses: docker/build-push-action@v3
  with:
    # ...
    build-args: |
      BUILD_INFO=${{ steps.meta.outputs.json }}

JSON passed to build-args is not properly escaped, resulting in a container image with invalid JSON in $BUILD_INFO

$ docker run -ti --rm ghcr.io/ruslandoga/docker-build-info:master-59d6c0f ash

# printenv BUILD_INFO
{"tags":["ghcr.io/ruslandoga/docker-build-info:master",ghcr.io/ruslandoga/docker-build-info:59d6c0f,"ghcr.io/ruslandoga/docker-build-info:master-59d6c0f"],"labels":{"org.opencontainers.image.title":"docker-build-info","org.opencontainers.image.description":"","org.opencontainers.image.url":"https://github.com/ruslandoga/docker-build-info","org.opencontainers.image.source":"https://github.com/ruslandoga/docker-build-info","org.opencontainers.image.version":"master","org.opencontainers.image.created":"2022-11-19T10:24:20.161Z","org.opencontainers.image.revision":"59d6c0f96080acc485cbbf11bbffa1b472d2b12b","org.opencontainers.image.licenses":""}}

^{Note the second tag in tags ghcr.io/ruslandoga/docker-build-info:59d6c0f It's not quoted.}

Steps to reproduce this issue

Please see the Dockerfile and Github CI workflow in https://github.com/ruslandoga/docker-build-info

Expected behaviour

The build args are copied as is and/or are properly escaped. So that after the build, the BUILD_INFO env var contains valid JSON:

$ printenv BUILD_INFO
{"tags":["ghcr.io/ruslandoga/docker-build-info:master","ghcr.io/ruslandoga/docker-build-info:59d6c0f",...etc...}}

Actual behaviour

BUILD_INFO env var contains invalid JSON:

$ printenv BUILD_INFO
{"tags":["ghcr.io/ruslandoga/docker-build-info:master",ghcr.io/ruslandoga/docker-build-info:59d6c0f,...etc...}}

Logs

logs_7.zip

[ruslandoga]

@crazy-max hi!

Sorry to bother you, but I wonder if you could give me some pointers as to where it might be happening in the codebase and I'd be happy to open a PR with a possible fix. It's now affecting real users: plausible/analytics#2491

---

The bug seems to be coming from this CSV parse

build-push-action/src/context.ts

Lines 222 to 227 in 175d02b

	const records = await parse(items, {
	columns: false,
	relaxQuotes: true,
	relaxColumnCount: true,
	skipEmptyLines: true
	});

For my input above it returns

    [
      [
        'BUILD_INFO={"tags":["ghcr.io/ruslandoga/docker-build-info:master"',
        'ghcr.io/ruslandoga/docker-build-info:650b4e7',
        '"ghcr.io/ruslandoga/docker-build-info:master-650b4e7"]',
        '"labels":{"org.opencontainers.image.title":"docker-build-info"',
        '"org.opencontainers.image.description":""',
        '"org.opencontainers.image.url":"https://github.com/ruslandoga/docker-build-info"',
        '"org.opencontainers.image.source":"https://github.com/ruslandoga/docker-build-info"',
        '"org.opencontainers.image.version":"master"',
        '"org.opencontainers.image.created":"2022-11-19T10:28:31.065Z"',
        '"org.opencontainers.image.revision":"650b4e776fbc5cf57ca12e147b219d0a6f6e1bf6"',
        '"org.opencontainers.image.licenses":""}}'
      ]
    ]

I wonder if using a CSV parser at all makes sense here if it doesn't protect against unescaped newlines in the input?

['build-args', 'BUILD_INFO="\nasdf\nasdf",asdf\nBUILD_META=asdf']

gets turned into

[
       'build',
        '--build-arg', 'BUILD_INFO="',
        '--build-arg', 'asdf',
        '--build-arg', 'asdf",asdf',
        '--build-arg', 'BUILD_META=asdf',
]

[ruslandoga]

@crazy-max 👋

Since the issue hasn't been fixed, would you mind reopening it?