chore(docker): avoid shell interpretation and uncontrolled path expansion#31110
Open
chore(docker): avoid shell interpretation and uncontrolled path expansion#31110
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
thetaPC
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue number: N/A
What is the current behavior?
When passing a Playwright flag with a space in its value (e.g.
--project='Mobile Safari'), the shell strips the quotes before Node receives the argument. Sincedocker.mjspassed args toexecawithshell: true, the unquoted space caused the argument to be split and Playwright never received the correct value.Additionally, arguments like
-e DISPLAY=${display},-v ${displayVolume}, and--mountwere constructed as combined strings and passed through shell interpretation, meaning special characters in those values (e.g. spaces in an absolute path) could cause the command to fail unexpectedly. This caused CodeQL to trigger with security issues.What is the new behavior?
Each Docker argument is now passed as a separate array element to
execawithoutshell: true, so values are forwarded directly to Docker without shell re-interpretation. This preserves spaces within argument values (e.g.--project='Mobile Safari') and prevents uncontrolled expansion of paths and environment variable values.The security issues stated by CodeQL has been addressed.
Does this introduce a breaking change?
Other information
Verify that the following command works:
npm run test.e2e.docker datetime/test/basic -- -g 'IO fallback' --project='Mobile Safari' --repeat-each=20