johba/disinto
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

fix: use safe array-based docker run command in dispatcher (#153)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details

Browse source
This commit is contained in:
Agent 2026-04-02 20:28:43 +00:00
parent 7724488227
commit ff58fcea65
1 changed files with 36 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

57
docker/edge/dispatcher.sh
View file

@ -298,8 +298,19 @@ launch_runner() {
local secrets_array local secrets_array
secrets_array="${VAULT_ACTION_SECRETS:-}" secrets_array="${VAULT_ACTION_SECRETS:-}"
# Build secret flags from TOML secrets array # Build command array (safe from shell injection)
local secret_flags="" local -a cmd=(docker run --rm
--name "vault-runner-${action_id}"
--network disinto_disinto-net
-e "FORGE_URL=${FORGE_URL}"
-e "FORGE_TOKEN=${FORGE_TOKEN}"
-e "FORGE_REPO=${FORGE_REPO}"
-e "FORGE_OPS_REPO=${FORGE_OPS_REPO}"
-e "PRIMARY_BRANCH=${PRIMARY_BRANCH}"
-e DISINTO_CONTAINER=1
)
# Add environment variables for secrets (if any declared)
if [ -n "$secrets_array" ]; then if [ -n "$secrets_array" ]; then
for secret in $secrets_array; do for secret in $secrets_array; do
secret=$(echo "$secret" | xargs) secret=$(echo "$secret" | xargs)
@ -310,39 +321,43 @@ launch_runner() {
write_result "$action_id" 1 "Secret not found in vault: ${secret}" write_result "$action_id" 1 "Secret not found in vault: ${secret}"
return 1 return 1
fi fi
secret_flags="${secret_flags} -e ${secret}=${!secret}" cmd+=(-e "${secret}=${!secret}")
fi fi
done done
else else
log "Action ${action_id} has no secrets declared — runner will execute without extra env vars" log "Action ${action_id} has no secrets declared — runner will execute without extra env vars"
fi fi
# Build docker run command # Add formula and action id as arguments (safe from shell injection)
# Uses the disinto-agents image (same as agent containers) local formula="${VAULT_ACTION_FORMULA:-}"
# Mounts Docker socket to spawn sibling containers cmd+=(disinto-agents:latest bash -c
local docker_cmd="docker run --rm \ "cd /home/agent/disinto && bash formulas/${formula}.sh ${action_id}")
--name \"vault-runner-${action_id}\" \
--network disinto_disinto-net \
-e FORGE_URL=\"${FORGE_URL}\" \
-e FORGE_TOKEN=\"${FORGE_TOKEN}\" \
-e FORGE_REPO=\"${FORGE_REPO}\" \
-e FORGE_OPS_REPO=\"${FORGE_OPS_REPO}\" \
-e PRIMARY_BRANCH=\"${PRIMARY_BRANCH}\" \
-e DISINTO_CONTAINER=1 \
${secret_flags} \
disinto-agents:latest \
bash -c \"cd /home/agent/disinto && bash formulas/${VAULT_ACTION_FORMULA}.sh ${action_id}\""
log "Running: docker run (secrets redacted)" # Log command skeleton (hide all -e flags for security)
local -a log_cmd=()
local skip_next=0
for arg in "${cmd[@]}"; do
if [[ $skip_next -eq 1 ]]; then
skip_next=0
continue
fi
if [[ "$arg" == "-e" ]]; then
log_cmd+=("$arg" "<redacted>")
skip_next=1
else
log_cmd+=("$arg")
fi
done
log "Running: ${log_cmd[*]}"
# Create temp file for logs # Create temp file for logs
local log_file local log_file
log_file=$(mktemp /tmp/dispatcher-logs-XXXXXX.txt) log_file=$(mktemp /tmp/dispatcher-logs-XXXXXX.txt)
trap 'rm -f "$log_file"' RETURN trap 'rm -f "$log_file"' RETURN
# Execute docker run command # Execute with array expansion (safe from shell injection)
# Capture stdout and stderr to log file # Capture stdout and stderr to log file
eval "$docker_cmd" > "$log_file" 2>&1 "${cmd[@]}" > "$log_file" 2>&1
local exit_code=$? local exit_code=$?
# Read logs summary # Read logs summary