Open kit-ty-kate opened 10 months ago
I have mixed feelings about the bug report. I think there's a case for considering that the shell syntax requires the escape, not the Dockerfile, and that the newline should be escaped in the original string.
I've drafted a patch for the problem, though. I'm also wondering where the escape should apply, only RUN
instructions, or to a lot more places?
I don't mind if the escape are not added but I think the library should check that the string given as input is welformed and is not going to escape its scope and create a new section. e.g.
run "%s" input_from_user
if input_from_users = "true\nA-NEW-MALICIOUS-SECTION"
, then it would create a potentially dangerous Dockerfile:
RUN true
A-NEW-MALICIOUS-SECTION
I also think this check should be done in all the places a raw input is outputted (most instructions i suspect)
Example:
results in the incorrect Dockerfile:
instead, each
\n
characters should be escaped using\
as per https://docs.docker.com/engine/reference/builder/#format