Improve security by using temporary files and folders instead of .cuber

Author: collimarco

lib/cuber/cli.rb

@@ -1,4 +1,6 @@
 require 'optparse'
+require 'tmpdir'
+require 'tempfile'
 require 'fileutils'
 require 'open3'
 require 'erb'

lib/cuber/commands/deploy.rb

@@ -7,6 +7,7 @@ def initialize options
     end
 
     def execute
+      mktmpdirs
       if @options[:release]
         print_step 'Deploying a past release'
       else
@@ -22,9 +23,21 @@ def execute
       configure
       apply
       rollout
+    ensure
+      rmtmpdirs
     end
 
     private
+    
+    def mktmpdirs
+      @repo_tmpdir = Dir.mktmpdir
+      @kubernetes_tmpdir = Dir.mktmpdir
+    end
+    
+    def rmtmpdirs
+      FileUtils.remove_entry @repo_tmpdir
+      FileUtils.remove_entry @kubernetes_tmpdir
+    end
 
     def print_step desc
       puts
@@ -33,17 +46,14 @@ def print_step desc
 
     def checkout
       print_step 'Cloning Git repository'
-      path = '.cuber/repo'
-      FileUtils.mkdir_p path
-      FileUtils.rm_rf path, secure: true
       cmd = ['git', 'clone']
       cmd += ['--branch', @options[:repo][:branch]] if @options[:repo][:branch]
-      cmd += ['--depth', '1', @options[:repo][:url], path]
+      cmd += ['--depth', '1', @options[:repo][:url], @repo_tmpdir]
       system(*cmd) || abort('Cuber: git clone failed')
     end
 
     def commit_hash
-      out, status = Open3.capture2 'git', 'rev-parse', '--short', 'HEAD', chdir: '.cuber/repo'
+      out, status = Open3.capture2 'git', 'rev-parse', '--short', 'HEAD', chdir: @repo_tmpdir
       abort 'Cuber: cannot get commit hash' unless status.success?
       out.strip
     end
@@ -57,7 +67,7 @@ def pack
       tag = "#{@options[:image]}:#{@options[:release]}"
       cmd = ['pack', 'build', tag, '--builder', @options[:buildpacks], '--publish']
       cmd += ['--pull-policy', 'always', '--clear-cache'] if @options[:cache] == false
-      system(*cmd, chdir: '.cuber/repo') || abort('Cuber: pack build failed')
+      system(*cmd, chdir: @repo_tmpdir) || abort('Cuber: pack build failed')
     end
 
     def build
@@ -67,7 +77,7 @@ def build
       cmd = ['docker', 'build']
       cmd += ['--pull', '--no-cache'] if @options[:cache] == false
       cmd += ['--platform', 'linux/amd64', '--progress', 'plain', '-f', dockerfile, '-t', tag, '.']
-      system(*cmd, chdir: '.cuber/repo') || abort('Cuber: docker build failed')
+      system(*cmd, chdir: @repo_tmpdir) || abort('Cuber: docker build failed')
     end
 
     def push
@@ -80,13 +90,13 @@ def configure
       print_step 'Generating Kubernetes configuration'
       @options[:instance] = "#{@options[:app]}-#{Time.now.utc.iso8601.delete('^0-9')}"
       @options[:dockerconfigjson] = Base64.strict_encode64 File.read File.expand_path(@options[:dockerconfig] || '~/.docker/config.json')
-      render 'deployment.yml', '.cuber/kubernetes/deployment.yml'
+      render 'deployment.yml', File.join(@kubernetes_tmpdir, 'deployment.yml')
     end
 
     def apply
       print_step 'Applying configuration to Kubernetes cluster'
       kubectl 'apply',
-        '-f', '.cuber/kubernetes/deployment.yml',
+        '-f', File.join(@kubernetes_tmpdir, 'deployment.yml'),
         '--prune', '-l', "app.kubernetes.io/name=#{@options[:app]},app.kubernetes.io/managed-by=cuber"
     end
 

lib/cuber/commands/run.rb

@@ -33,15 +33,15 @@ def command
 
     def kubeexec command
       @options[:pod] = "pod-#{command.downcase.gsub(/[^a-z0-9]+/, '-')}-#{Time.now.utc.iso8601.delete('^0-9')}"
-      path = ".cuber/kubernetes/#{@options[:pod]}.yml"
       full_command = command.shellsplit
       full_command.unshift 'launcher' unless @options[:buildpacks].to_s.strip.empty?
-      render 'pod.yml', path
-      kubectl 'apply', '-f', path
+      Tempfile.create(['pod', '.yml']) do |temp|
+        render 'pod.yml', temp.path
+        kubectl 'apply', '-f', temp.path
+      end
       kubectl 'wait', '--for', 'condition=ready', "pod/#{@options[:pod]}"
       kubectl 'exec', '-it', @options[:pod], '--', *full_command
       kubectl 'delete', 'pod', @options[:pod], '--wait=false'
-      File.delete path
     end
 
   end

lib/cuber/version.rb

@@ -1,3 +1,3 @@
 module Cuber
-  VERSION = '1.13.0'.freeze
+  VERSION = '1.14.0'.freeze
 end