Presence of spaces in a command is not escaped and results in an incorrect Dockerfile

ocurrent / ocaml-dockerfile

OCaml interface for creating Dockerfiles

https://www.ocurrent.org/ocaml-dockerfile/

ISC License

65 stars 18 forks source link

Presence of spaces in a command is not escaped and results in an incorrect Dockerfile #192

Open kit-ty-kate opened 10 months ago

kit-ty-kate commented 10 months ago

Example:

from "alpine" @@
run "ls\n/"

results in the incorrect Dockerfile:

FROM alpine
RUN ls
/

instead, each \n characters should be escaped using \ as per https://docs.docker.com/engine/reference/builder/#format

MisterDA commented 10 months ago

I have mixed feelings about the bug report. I think there's a case for considering that the shell syntax requires the escape, not the Dockerfile, and that the newline should be escaped in the original string. I've drafted a patch for the problem, though. I'm also wondering where the escape should apply, only RUN instructions, or to a lot more places?

kit-ty-kate commented 9 months ago

I don't mind if the escape are not added but I think the library should check that the string given as input is welformed and is not going to escape its scope and create a new section. e.g.

run "%s" input_from_user

if input_from_users = "true\nA-NEW-MALICIOUS-SECTION", then it would create a potentially dangerous Dockerfile:

RUN true
A-NEW-MALICIOUS-SECTION

I also think this check should be done in all the places a raw input is outputted (most instructions i suspect)