Harden Script is Susceptible to Word Splitting

[harmathy]

Word splitting prevents successful image creation if any of the file paths contain spaces.

To demonstrate the issue consider the following base image:

FROM debian

RUN mkdir -p /usr/share/hw
RUN printf "%s\n\n%s\n" "#!/bin/sh" "echo 'Hello World'" > "/usr/share/hw/hello world"
RUN chmod +x "/usr/share/hw/hello world"

I just built the image locally and named it hw.

Then use the harden script:

FROM hw as origin

ADD harden /harden
RUN mkdir /tmp/harden
RUN ./harden -d /bin/sh -f /usr/share/hw

FROM scratch

COPY --from=origin /tmp/harden/ /

ENTRYPOINT ["/usr/share/hw/hello world"]

The build process will fail with something like:

cp: cannot stat 'usr/share/hw/hello': No such file or directory
cp: cannot stat 'world': No such file or directory
Error: error building at STEP "RUN ./harden -d /bin/sh -f /usr/share/hw": error while running runtime: exit status 1