fix: harden WORK_HOME path matching in make issue

vvbandeira · vvbandeira · commit 4bc902f145b1 · 2026-06-04T08:40:52.000-03:00
Address review:

- generate-vars.sh: require a path boundary after WORK_HOME so a
  prefix (e.g. /tmp/work) does not corrupt sibling paths
  (e.g. /tmp/work_other)
- makeIssue.sh: tolerate trailing slash in WORK_HOME and slash runs
  in tar member names (${WORK_HOME}/x yields ws//x when WORK_HOME
  ends in /)

Signed-off-by: Vitor Bandeira &lt;vvbandeira@precisioninno.com&gt;
diff --git a/flow/util/generate-vars.sh b/flow/util/generate-vars.sh
@@ -60,8 +60,11 @@ while read -r VAR; do
         # symlink-resolved form may appear in values. Skip when WORK_HOME is
         # FLOW_HOME, which is handled via ${FLOW_HOME} below.
         for work_path in "${WORK_HOME:-.}" "${WORK_ROOT}"; do
+            work_path="${work_path%/}"
             if [[ "${work_path}" == /* && "${work_path}" != "${FLOW_ROOT}" ]]; then
-                value=$(sed -e "s,\(^\|[: \"']\)${work_path},\1.,g" <<< "${value}")
+                # require a path boundary after the match so e.g. /tmp/work
+                # does not corrupt /tmp/work_other
+                value=$(sed -e "s,\(^\|[: \"']\)${work_path}\(/\|[: \"']\|$\),\1.\2,g" <<< "${value}")
             fi
         done
         for path in workspace platforms; do
diff --git a/flow/util/makeIssue.sh b/flow/util/makeIssue.sh
@@ -132,9 +132,9 @@ fi
 # the tarball root instead of recreating the absolute path (e.g. tmp/...).
 # Both the literal and the symlink-resolved form may appear in member names.
 WORK_ROOT=$(realpath "${WORK_HOME:-.}")
-WORK_HOME_TRANSFORMS=(--transform="s|^${ISSUE_TARGET}_${ISSUE_TAG}${WORK_ROOT}/|${ISSUE_TARGET}_${ISSUE_TAG}/|S")
-if [[ "${WORK_HOME:-.}" == /* && "${WORK_HOME:-.}" != "${WORK_ROOT}" ]]; then
-    WORK_HOME_TRANSFORMS+=(--transform="s|^${ISSUE_TARGET}_${ISSUE_TAG}${WORK_HOME}/|${ISSUE_TARGET}_${ISSUE_TAG}/|S")
+WORK_HOME_TRANSFORMS=(--transform="s|^${ISSUE_TARGET}_${ISSUE_TAG}${WORK_ROOT}//*|${ISSUE_TARGET}_${ISSUE_TAG}/|S")
+if [[ "${WORK_HOME:-.}" == /* && "${WORK_HOME%/}" != "${WORK_ROOT}" ]]; then
+    WORK_HOME_TRANSFORMS+=(--transform="s|^${ISSUE_TARGET}_${ISSUE_TAG}${WORK_HOME%/}//*|${ISSUE_TARGET}_${ISSUE_TAG}/|S")
 fi
 tar --use-compress-program=${COMPRESS} \
     --ignore-failed-read -chf ${TAR_NAME} \
