From 30984abfafbcca643c648f4c35ffe86e0c7ca04c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20G=C3=B6bel?= <dgoebel@techfak.uni-bielefeld.de>
Date: Wed, 20 Sep 2023 18:02:26 +0200
Subject: [PATCH] Escape workflow parameters for bash

#50
---
 app/api/endpoints/workflow_version.py    | 2 +-
 app/api/utils.py                         | 5 +++++
 mako_templates/nextflow_command.template | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/api/endpoints/workflow_version.py b/app/api/endpoints/workflow_version.py
index b28e778..05d542a 100644
--- a/app/api/endpoints/workflow_version.py
+++ b/app/api/endpoints/workflow_version.py
@@ -289,7 +289,7 @@ async def download_workflow_documentation(
         if document is DocumentationEnum.PARAMETER_SCHEMA:
             path = workflow_mode.schema_path
 
-    return StreamingResponse(repo.download_file_stream(path, client))
+    return StreamingResponse(repo.download_file_stream(path, client), headers={"Cache-Control": "max-age=86400"})
 
 
 @router.post(
diff --git a/app/api/utils.py b/app/api/utils.py
index 101c0e7..3f7a592 100644
--- a/app/api/utils.py
+++ b/app/api/utils.py
@@ -1,5 +1,6 @@
 import json
 import re
+import shlex
 from io import BytesIO
 from tempfile import SpooledTemporaryFile
 from typing import TYPE_CHECKING, Any, BinaryIO, Dict, Optional, Sequence, Union
@@ -173,6 +174,10 @@ async def start_workflow_execution(
         f.write(json.dumps(parameters).encode("utf-8"))
         f.seek(0)
         s3.Bucket(name=settings.PARAMS_BUCKET).Object(key=params_file_name).upload_fileobj(f)
+    for key in parameters.keys():
+        if isinstance(parameters[key], str):
+            # Escape string parameters for bash shell
+            parameters[key] = shlex.quote(parameters[key]).replace("$", "\$")
 
     # Check if the there is an SCM file for the workflow
     scm_file_name = None
diff --git a/mako_templates/nextflow_command.template b/mako_templates/nextflow_command.template
index 60eced0..72dd2fd 100644
--- a/mako_templates/nextflow_command.template
+++ b/mako_templates/nextflow_command.template
@@ -18,5 +18,5 @@ ${nx_bin} run ${repo.repo_url} \
 % endif
 -revision ${repo.git_commit_hash} \
 % for param_name, param_value in parameters.items():
---${param_name} "${param_value}" \
+--${param_name} ${param_value} \
 % endfor
-- 
GitLab