Protect against command jailbreaking the executor container (#353)

microsoft · Aug 11, 2023 · 5baf6c6 · 5baf6c6
1 parent b0ae6e8
commit 5baf6c6
Show file tree

Hide file tree

Showing 5 changed files with 2 additions and 29 deletions.
diff --git a/src/TesApi.Web/BatchScheduler.cs b/src/TesApi.Web/BatchScheduler.cs
@@ -1126,7 +1126,7 @@ private async Task<CloudTask> ConvertTesTaskToBatchTaskAsync(string taskId, TesT
             sb.AppendLinuxLine($"chmod -R o+rwx $AZ_BATCH_TASK_WORKING_DIR/wd && \\");
             sb.AppendLinuxLine($"export TES_TASK_WD=$AZ_BATCH_TASK_WORKING_DIR/wd && \\");
             sb.AppendLinuxLine($"write_ts ExecutorStart && \\");
-            sb.AppendLinuxLine($"docker run --rm {volumeMountsOption} --entrypoint= {workdirOption}{executor.Image} {executor.Command[0]} {string.Join(" ", executor.Command.Skip(1).Select(BashWrapShellArgument))} && \\");
+            sb.AppendLinuxLine($"docker run --rm {volumeMountsOption} --entrypoint= {workdirOption}{executor.Image} {string.Join(" ", executor.Command.Select(BashWrapShellArgument))} && \\");
             sb.AppendLinuxLine($"write_ts ExecutorEnd && \\");
             sb.AppendLinuxLine($"write_ts UploadStart && \\");
             sb.AppendLinuxLine($"./{NodeTaskRunnerFilename} upload && \\");

diff --git a/src/deploy-tes-on-azure/Deployer.cs b/src/deploy-tes-on-azure/Deployer.cs
@@ -714,7 +714,7 @@ private static async Task<int> TestTaskAsync(string tesEndpoint, bool preemptibl
                     new TesExecutor()
                     {
                         Image = "ubuntu:22.04",
-                        Command = new List<string>{"echo 'hello world'" },
+                        Command = new List<string>{ "echo", "hello world" },
                     }
                 },
                 Resources = new TesResources()

diff --git a/src/deploy-tes-on-azure/deploy-tes-on-azure.csproj b/src/deploy-tes-on-azure/deploy-tes-on-azure.csproj
@@ -64,8 +64,6 @@
     <EmbeddedResource Include="scripts\env-01-account-names.txt" />
     <EmbeddedResource Include="scripts\env-02-internal-images.txt" />
     <EmbeddedResource Include="scripts\env-04-settings.txt" />
-    <EmbeddedResource Include="test.wdl" />
-    <EmbeddedResource Include="testInputs.json" />
     <Content Update="samples\config.json">
         <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>

diff --git a/src/deploy-tes-on-azure/test.wdl b/src/deploy-tes-on-azure/test.wdl
diff --git a/src/deploy-tes-on-azure/testInputs.json b/src/deploy-tes-on-azure/testInputs.json