Final round of adding quoting to prevent command injection (#5167)

* refactor: use import alias

* fix: add quoting to further shell steps

vars/npmExecute.groovy

@@ -1,4 +1,6 @@
 import static com.sap.piper.Prerequisites.checkScript
+import static com.sap.piper.BashUtils.quoteAndEscape as q
+
 import com.sap.piper.GenerateDocumentation
 import com.sap.piper.ConfigurationHelper
 import com.sap.piper.Utils
@@ -65,7 +67,7 @@ void call(Map parameters = [:], body = null) {
                     npm --version
                 """
                 if (configuration.defaultNpmRegistry) {
-                    sh "npm config set registry ${configuration.defaultNpmRegistry}"
+                    sh "npm config set registry ${q(configuration.defaultNpmRegistry)}"
                 }
                 if (configuration.npmCommand) {
                     sh "npm ${configuration.npmCommand}"

vars/piperExecuteBin.groovy

@@ -9,6 +9,7 @@ import com.sap.piper.analytics.InfluxData
 import groovy.transform.Field
 
 import static com.sap.piper.Prerequisites.checkScript
+import static com.sap.piper.BashUtils.quoteAndEscape as q
 
 @Field String STEP_NAME = getClass().getName()
 
@@ -132,7 +133,7 @@ static String getCustomDefaultConfigs() {
     // resources by setupCommonPipelineEnvironment.groovy into .pipeline/.
     List customDefaults = DefaultValueCache.getInstance().getCustomDefaults()
     for (int i = 0; i < customDefaults.size(); i++) {
-        customDefaults[i] = BashUtils.quoteAndEscape(".pipeline/${customDefaults[i]}")
+        customDefaults[i] = q(".pipeline/${customDefaults[i]}")
     }
     return customDefaults.join(',')
 }
@@ -151,7 +152,7 @@ static String getCustomConfigArg(def script) {
     if (script?.commonPipelineEnvironment?.configurationFile
         && script.commonPipelineEnvironment.configurationFile != '.pipeline/config.yml'
         && script.commonPipelineEnvironment.configurationFile != '.pipeline/config.yaml') {
-        return " --customConfig ${BashUtils.quoteAndEscape(script.commonPipelineEnvironment.configurationFile)}"
+        return " --customConfig ${q(script.commonPipelineEnvironment.configurationFile)}"
     }
     return ''
 }

vars/sonarExecuteScan.groovy

@@ -1,7 +1,9 @@
+import static com.sap.piper.Prerequisites.checkScript
+import static com.sap.piper.BashUtils.quoteAndEscape as q
+
 import com.sap.piper.JenkinsUtils
 import com.sap.piper.Utils
 import com.sap.piper.analytics.InfluxData
-import static com.sap.piper.Prerequisites.checkScript
 import groovy.transform.Field
 import java.nio.charset.StandardCharsets
 
@@ -40,7 +42,7 @@ void call(Map parameters = [:]) {
             // & `legacyPRHandling` & `inferBranchName`
             // writePipelineEnv needs to be called here as owner and repository may come from the pipeline environment
             writePipelineEnv(script: script, piperGoPath: piperGoPath)
-            Map stepConfig = readJSON(text: sh(returnStdout: true, script: "${piperGoPath} getConfig --stepMetadata '.pipeline/tmp/${METADATA_FILE}'${customDefaultConfig}${customConfigArg}"))
+            Map stepConfig = readJSON(text: sh(returnStdout: true, script: "${piperGoPath} getConfig --stepMetadata ${q('.pipeline/tmp/' + METADATA_FILE)}${customDefaultConfig}${customConfigArg}"))
             echo "Step Config: ${stepConfig}"
 
             List environment = []
@@ -135,7 +137,7 @@ private void loadCertificates(Map config) {
             def filename = new File(url).getName()
             filename = URLDecoder.decode(filename, StandardCharsets.UTF_8.name())
             sh "wget ${wgetOptions.join(' ')} ${url}"
-            sh "keytool ${keytoolOptions.join(' ')} -alias '${filename}' -file '${certificateFolder}${filename}'"
+            sh "keytool ${keytoolOptions.join(' ')} -alias ${q(filename)} -file '${certificateFolder}${filename}'"
         }
     }
 }