← Back to context

Comment by baobun

4 days ago

Fill in the blank to run a docker container which opens the file with user-provided path in (say) vim.

docker run --rm -it ...?

Now run a container doing the exact same thing ("docker-in-docker").

docker run --rm -it -v $DOCKER_HOST:/var/run/docker.sock ...?

4 comments

baobun

Reply

oguz-ismail 4 days ago

> Fill in the blank to run a docker container which opens the file with user-provided path in (say) vim.

Never used docker before, but this seems to work:

    docker run --rm -it debian bash -c 'vim -- "$1"' _ "$user_provided_path"

kragen 4 days ago
Looks relatively safe to me, though it doesn't seem to work because debian:latest doesn't have vim in it (so I'm skeptical of your implicit claim of having tried it), and, if $user_provided_path is empty, it defaults to browsing the filesystem. But there are a lot of characters there that are specifically there to avoid footguns; without them, it would seem to work, but it would fail when $user_provided_path contained special characters.
The version I tested was
docker run --rm -it debian bash -c 'apt update; apt install -y vim; vim -- "$1"' _ "$user_provided_path"
- oguz-ismail 4 days ago
  
  > your implicit claim of having tried it
  I tried printing positional parameters, they looked fine. (And already uninstalled docker. What's the point of containerization if you need superuser privileges to use it?)
  > if $user_provided_path is empty, it defaults to browsing the filesystem
  That's what
  vim -- ""
  does.
  > But there are a lot of characters there that are specifically there to avoid footguns
  What are those characters? --? That's not a lot
  
  1 reply →