|
|
|
|
|
|
by deepsun
17 days ago
|
|
|
No-no, I mean launch processes by all means, just without shell substitutions. Ever noticed that docker (and k8s) accept command line as an array? That's the way to go. It does not expand any env variables, path expansions (.. or *).
Like command: ["java", "Main.java"]
But people hack it in order to get shell features, and that is the failure I mean: command: ["sh", "-c", "java Main.java"]
the second example runs shell, and shell is for humans, so is vulnerable to the attacks above. |
|
|