Page MenuHomePhabricator

Escape newline chars in Docker output
AbandonedPublic

Authored by thcipriani on Jun 27 2017, 12:08 AM.

Details

Reviewers
dduvall
mmodell
Group Reviewers
Release-Engineering-Team
Patch without arc
git checkout -b D695 && curl -L https://phabricator.wikimedia.org/D695?download=true | git apply
Summary

One current vulnerability is the ability to inject a newline character
into Dockerfile output. Currently, a yaml file like:

base: debian:jessie
apt:
  packages: [libjpeg, libyaml, "\n RUN touch /bin/hello-world"]

Results in a dockerfile with the line:

RUN touch /bin/hello-world

This provides a new function that escapes instructions

Diff Detail

Repository
rGBLBR Blubber
Branch
master
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 1922
Build 3112: arc lint + arc unit

Event Timeline

thcipriani created this revision.Jun 27 2017, 12:08 AM
Restricted Application added a reviewer: mmodell. · View Herald TranscriptJun 27 2017, 12:08 AM
Restricted Application added a reviewer: Release-Engineering-Team. · View Herald Transcript
Restricted Application added a project: Release-Engineering-Team. · View Herald Transcript
mmodell accepted this revision as: mmodell.Jun 27 2017, 4:12 PM
This revision is now accepted and ready to land.Jun 27 2017, 4:12 PM
thcipriani abandoned this revision.Jul 7 2017, 3:30 PM

rethought this in D705