Paths

Table of Contentst

Escape newline chars in Docker output
AbandonedPublic
Actions

Authored by thcipriani on Jun 27 2017, 12:08 AM.

Details

Reviewers

dduvall
mmodell

Group Reviewers

Release-Engineering-Team

Patch without arc

git checkout -b D695 && curl -L https://phabricator.wikimedia.org/D695?download=true | git apply

Summary

One current vulnerability is the ability to inject a newline character
into Dockerfile output. Currently, a yaml file like:

base: debian:jessie
apt:
  packages: [libjpeg, libyaml, "\n RUN touch /bin/hello-world"]

Results in a dockerfile with the line:

RUN touch /bin/hello-world

This provides a new function that escapes instructions

Diff Detail

Repository

rGBLBR Blubber

Branch

master

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

thcipriani created this revision.Jun 27 2017, 12:08 AM

Restricted Application added a reviewer: mmodell. · View Herald TranscriptJun 27 2017, 12:08 AM

Restricted Application added a reviewer: Release-Engineering-Team. · View Herald Transcript

Restricted Application added a project: Release-Engineering-Team. · View Herald Transcript

Harbormaster completed remote builds in Restricted Buildable.Jun 27 2017, 12:08 AM

mmodell accepted this revision as: mmodell.Jun 27 2017, 4:12 PM

This revision is now accepted and ready to land.Jun 27 2017, 4:12 PM

rethought this in D705

Revision Contents
Changeset List

Path

Size

build/

instructions.go

33 lines

docker/

compiler.go

12 lines

compiler_test.go

11 lines

Diff 1806

View Options

build/instructions.go

View Options

docker/compiler.go

View Options

Escape newline chars in Docker outputAbandonedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 1806

build/instructions.go

docker/compiler.go

docker/compiler_test.go

Escape newline chars in Docker output
AbandonedPublic
Actions

Revision Contents
Changeset List