Presence of spaces in a command is not escaped and results in an incorrect Dockerfile

[kit-ty-kate]

Example:

from "alpine" @@
run "ls\n/"

results in the incorrect Dockerfile:

FROM alpine
RUN ls
/

instead, each \n characters should be escaped using \ as per https://docs.docker.com/engine/reference/builder/#format

[MisterDA]

I have mixed feelings about the bug report. I think there's a case for considering that the shell syntax requires the escape, not the Dockerfile, and that the newline should be escaped in the original string. I've drafted a patch for the problem, though. I'm also wondering where the escape should apply, only RUN instructions, or to a lot more places?

[kit-ty-kate]

I don't mind if the escape are not added but I think the library should check that the string given as input is welformed and is not going to escape its scope and create a new section. e.g.

run "%s" input_from_user

if input_from_users = "true\nA-NEW-MALICIOUS-SECTION", then it would create a potentially dangerous Dockerfile:

RUN true
A-NEW-MALICIOUS-SECTION

I also think this check should be done in all the places a raw input is outputted (most instructions i suspect)