Skip to content
This repository has been archived by the owner on Jun 6, 2024. It is now read-only.

Escape injected variables in shell scripts #1860

Merged
merged 8 commits into from
Dec 16, 2018
Merged

Escape injected variables in shell scripts #1860

merged 8 commits into from
Dec 16, 2018

Conversation

Gerhut
Copy link
Member

@Gerhut Gerhut commented Dec 10, 2018

No description provided.

@coveralls
Copy link

coveralls commented Dec 10, 2018
edited
Loading

Coverage Status

Coverage increased (+0.02%) to 51.785% when pulling b62d00a on qixcheng/rest-server/shell-inject into c5ce662 on master.

@Gerhut
Copy link
Member Author

Gerhut commented Dec 10, 2018

The bottom one is for backward compatibility

sterowang
sterowang approved these changes Dec 10, 2018
View reviewed changes
Copy link

@sterowang sterowang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

sunqinzheng
sunqinzheng reviewed Dec 11, 2018
View reviewed changes
src/rest-server/src/templates/yarnContainerScript.mustache Outdated
echo PAI_DEFAULT_FS_URI={{ hdfsUri }} >> $ENV_LIST
echo PAI_JOB_NAME={{ jobData.jobName }} >> $ENV_LIST
echo PAI_USER_NAME={{ jobData.userName }} >> $ENV_LIST
echo PAI_DATA_DIR={{ jobData.dataDir }} >> $ENV_LIST
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User can set/modify arbitrary environment variable here because the job data will be unescaped by echo.
(I don't know how to make use of it...)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Job env will be only enabled in docker containers, so I think any unpredicted modifications will be safe.

@Gerhut Gerhut force-pushed the qixcheng/rest-server/shell-inject branch from 54767ab to b62d00a Compare December 14, 2018 07:17
@Gerhut Gerhut merged commit 26e050d into master Dec 16, 2018
@Gerhut Gerhut deleted the qixcheng/rest-server/shell-inject branch December 16, 2018 07:57
@Gerhut Gerhut mentioned this pull request Jan 8, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sunqinzheng sunqinzheng sunqinzheng approved these changes

@sterowang sterowang sterowang approved these changes

@fanyangCS fanyangCS Awaiting requested review from fanyangCS

@mzmssg mzmssg Awaiting requested review from mzmssg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Gerhut @coveralls @sunqinzheng @sterowang