box icon indicating copy to clipboard operation
box copied to clipboard
verified publisher icon box-builder

bug: stacked `inside` statements cause relative path escape

Open erikh opened this issue 8 years ago • 0 comments

This is not a security issue, just a bug in how we handle inside statements.

inside "/one" do
  inside "two" do
  end
  
  inside "three" do
  end
end

Right now, inside works with two but chdirs back to the workdir for three. I think this is caused by the inner end statement not handling its escape appropriately. This shouldn't be too hard to keep a stack for on the side so we can track it easier.

Workaround for now is to flatten inside statements and then use a constant/variable to scope each block, e.g.:

BUILD_DIR = "/one"

inside "#{BUILD_DIR}/two" do
end

inside "#{BUILD_DIR}/three" do
end

erikh avatar Jul 20 '17 01:07 erikh