Fix code injection in cwd

stsewd · stsewd · commit 299fc139ab9f · 2021-05-19T14:06:25.000-05:00
This isn't a vulnerability since this command is executed inside
a container with a unprivileged user.

I have replaced the usage of manual `cd` with using the `workdir`
option from docker. This option doesn't support env vars expansion
(which is safer), so I had to introduce a new setting.
diff --git a/readthedocs/doc_builder/environments.py b/readthedocs/doc_builder/environments.py
@@ -75,7 +75,8 @@ class BuildCommand(BuildCommandResultMixin):
     :py:class:`readthedocs.builds.models.BuildCommandResult` model.
 
     :param command: string or array of command parameters
-    :param cwd: current working path for the command
+    :param cwd: Absolute path used as the current working path for the command.
+        Defaults to ``RTD_DOCKER_WORKDIR``.
     :param shell: execute command in shell, default=False
     :param environment: environment variables to add to environment
     :type environment: dict
@@ -102,7 +103,7 @@ def __init__(
     ):
         self.command = command
         self.shell = shell
-        self.cwd = cwd or '$HOME'
+        self.cwd = cwd or settings.RTD_DOCKER_WORKDIR
         self.user = user or settings.RTD_DOCKER_USER
         self.environment = environment.copy() if environment else {}
         if 'PATH' in self.environment:
@@ -152,9 +153,7 @@ def run(self):
             proc = subprocess.Popen(
                 command,
                 shell=self.shell,
-                # This is done here for local builds, but not for docker,
-                # as we want docker to expand inside the container
-                cwd=os.path.expandvars(self.cwd),
+                cwd=self.cwd,
                 stdin=None,
                 stdout=subprocess.PIPE,
                 stderr=subprocess.STDOUT,
@@ -300,6 +299,7 @@ def run(self):
                 cmd=self.get_wrapped_command(),
                 environment=self.environment,
                 user=self.user,
+                workdir=self.cwd,
                 stdout=True,
                 stderr=True,
             )
@@ -360,8 +360,7 @@ def get_wrapped_command(self):
             ])
         )
         return (
-            "/bin/sh -c 'cd {cwd} && {prefix}{cmd}'".format(
-                cwd=self.cwd,
+            "/bin/sh -c '{prefix}{cmd}'".format(
                 prefix=prefix,
                 cmd=command,
             )
diff --git a/readthedocs/doc_builder/python_environments.py b/readthedocs/doc_builder/python_environments.py
@@ -323,7 +323,7 @@ def setup_base(self):
             # Don't use virtualenv bin that doesn't exist yet
             bin_path=None,
             # Don't use the project's root, some config files can interfere
-            cwd='$HOME',
+            cwd=None,
         )
 
     def install_core_requirements(self):
diff --git a/readthedocs/settings/base.py b/readthedocs/settings/base.py
@@ -441,6 +441,7 @@ def TEMPLATES(self):
     # https://docs.docker.com/engine/reference/run/#user
     RTD_DOCKER_USER = 'docs:docs'
     RTD_DOCKER_SUPER_USER = 'root:root'
+    RTD_DOCKER_WORKDIR = '/home/docs/'
 
     RTD_DOCKER_COMPOSE = False
 

Original file line number	Diff line number	Diff line change
`@@ -323,7 +323,7 @@ def setup_base(self):`
`323`	`323`	`# Don't use virtualenv bin that doesn't exist yet`
`324`	`324`	`bin_path=None,`
`325`	`325`	`# Don't use the project's root, some config files can interfere`
`326`		`- cwd='$HOME',`
	`326`	`+ cwd=None,`
`327`	`327`	`)`
`328`	`328`
`329`	`329`	`def install_core_requirements(self):`