You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it may be possible to inject custom macros or access things that we aren't expecting and potentially break the build (even accidentally) based on if some value matches an rpmbuild macro.
Steps To Reproduce
As an example: in a build step inject a macro like:
%install
# insert extra stuff not in the yaml artifact spec
Are you willing to submit PRs to contribute to this bug fix?
Yes, I am willing to implement it.
The text was updated successfully, but these errors were encountered:
We should definitely try and escape macros, though I do worry about the difficulty of handling all edge cases here. As an additional part of this issue, I would propose more validation on build steps using a shell parser such as https://github.com/mvdan/sh, at least for RPM targets
Was thinking about this yesterday.
We could probably just drop all the build scripts into a separate script file, include it as a Source in the rpm spec and execute that.
Expected Behavior
No response
Actual Behavior
Currently it may be possible to inject custom macros or access things that we aren't expecting and potentially break the build (even accidentally) based on if some value matches an rpmbuild macro.
Steps To Reproduce
As an example: in a build step inject a macro like:
Are you willing to submit PRs to contribute to this bug fix?
The text was updated successfully, but these errors were encountered: