diff --git a/driver/pot.go b/driver/pot.go index a510f3a..cdc136e 100644 --- a/driver/pot.go +++ b/driver/pot.go @@ -14,6 +14,7 @@ import ( "syscall" "time" + "github.com/alessio/shellescape" "github.com/armon/circbuf" "github.com/creack/pty" hclog "github.com/hashicorp/go-hclog" @@ -240,7 +241,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error { message := potBIN + " " + command s.logger.Debug("Setting pot attributes: ", message) - cmdAttr := potBIN + " " + command + cmdAttr := shellescape.Quote(potBIN) + " " + command output, err := exec.Command("sh", "-c", cmdAttr).Output() if err != nil { if exitError, ok := err.(*exec.ExitError); ok { @@ -260,7 +261,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error { message := potBIN + " " + command s.logger.Debug("Copying files on jail: ", message) - cmdFiles := potBIN + " " + command + cmdFiles := shellescape.Quote(potBIN) + " " + command output, err := exec.Command("sh", "-c", cmdFiles).Output() if err != nil { if exitError, ok := err.(*exec.ExitError); ok { @@ -280,7 +281,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error { message := potBIN + " " + command s.logger.Debug("Mounting files on jail: ", message) - cmdVolumes := potBIN + " " + command + cmdVolumes := shellescape.Quote(potBIN) + " " + command output, err := exec.Command("sh", "-c", cmdVolumes).Output() if err != nil { if exitError, ok := err.(*exec.ExitError); ok { @@ -299,7 +300,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error { message := potBIN + " " + command s.logger.Debug("Mounting READ only files on jail: ", message) - cmdVolumesRO := potBIN + " " + command + cmdVolumesRO := shellescape.Quote(potBIN) + " " + command output, err := exec.Command("sh", "-c", cmdVolumesRO).Output() if err != nil { if exitError, ok := err.(*exec.ExitError); ok { diff --git a/driver/prepare.go b/driver/prepare.go index 57f12e7..8c08720 100644 --- a/driver/prepare.go +++ b/driver/prepare.go @@ -83,11 +83,11 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro potName := baseName + "_" + jobIDAllocID //Mount local - commandLocal := "mount-in -p " + potName + " -d " + cfg.TaskDir().LocalDir + " -m /local" + commandLocal := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(cfg.TaskDir().LocalDir) + " -m /local" se.argvMount = append(se.argvMount, commandLocal) //Mount secrets - commandSecret := "mount-in -p " + potName + " -d " + cfg.TaskDir().SecretsDir + " -m /secrets" + commandSecret := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(cfg.TaskDir().SecretsDir) + " -m /secrets" se.argvMount = append(se.argvMount, commandSecret) if len(taskCfg.Copy) > 0 { @@ -96,7 +96,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro split := strings.SplitN(file, ":", 2) source := split[0] destination := split[1] - command := "copy-in -p " + potName + " -s " + source + " -d " + destination + command := "copy-in -p " + shellescape.Quote(potName) + " -s " + shellescape.Quote(source) + " -d " + shellescape.Quote(destination) argvCopy = append(argvCopy, command) } se.argvCopy = argvCopy @@ -107,7 +107,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro split := strings.Split(file, ":") source := split[0] destination := split[1] - command := "mount-in -p " + potName + " -d " + source + " -m " + destination + command := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(source) + " -m " + shellescape.Quote(destination) se.argvMount = append(se.argvMount, command) } } @@ -118,7 +118,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro split := strings.Split(file, ":") source := split[0] destination := split[1] - command := "mount-in -p " + potName + " -d " + source + " -m " + destination + " -r" + command := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(source) + " -m " + shellescape.Quote(destination) + " -r" argvMountReadOnly = append(argvMountReadOnly, command) } se.argvMountReadOnly = argvMountReadOnly @@ -130,14 +130,14 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro split := strings.Split(attr, ":") attribute := split[0] value := split[1] - command := "set-attribute -p " + potName + " -A " + shellescape.Quote(attribute) + " -V " + shellescape.Quote(value) + command := "set-attribute -p " + shellescape.Quote(potName) + " -A " + shellescape.Quote(attribute) + " -V " + shellescape.Quote(value) se.argvAttributes = append(se.argvAttributes, command) } } // Set env variables if len(cfg.EnvList()) > 0 { - command := potBIN + " set-env -p " + potName + " " + command := shellescape.Quote(potBIN) + " set-env -p " + shellescape.Quote(potName) + " " for name, env := range cfg.Env { command = command + " -E " + shellescape.Quote(name) + "=" + shellescape.Quote(env) } @@ -146,9 +146,9 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro } if len(taskCfg.ExtraHosts) > 0 { - hostCommand := potBIN + " set-hosts -p " + potName + hostCommand := shellescape.Quote(potBIN) + " set-hosts -p " + shellescape.Quote(potName) for _, host := range taskCfg.ExtraHosts { - hostCommand = hostCommand + " -H " + host + hostCommand = hostCommand + " -H " + shellescape.Quote(host) } se.argvExtraHosts = hostCommand } @@ -156,7 +156,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro //Set soft memory limit memoryLimit := cfg.Resources.NomadResources.Memory.MemoryMB sMemoryLimit := strconv.FormatInt(memoryLimit, 10) - argvMem := potBIN + " set-rss -M " + sMemoryLimit + "M -p " + potName + argvMem := shellescape.Quote(potBIN) + " set-rss -M " + sMemoryLimit + "M -p " + potName se.argvMem = argvMem argvStart := make([]string, 0, 50)