security: validate batch spec mount name (#1284)

cbrnrd · web-flow · commit d859abfa558a · 2026-04-06T14:50:11.000Z
diff --git a/internal/batches/service/service_test.go b/internal/batches/service/service_test.go
@@ -594,6 +594,26 @@ changesetTemplate:
 `,
 			expectedErr: errors.New("handling mount: step 1 mount path is not in the same directory or subdirectory as the batch spec"),
 		},
+		{
+			name:         "files target path with comma",
+			batchSpecDir: tempDir,
+			rawSpec: `
+name: test-spec
+description: A test spec
+steps:
+  - run: echo "hello"
+    container: alpine:3
+    files:
+      "/tmp/x,source=/var/run/docker.sock,target=/var/run/docker.sock": "IGNORED"
+changesetTemplate:
+  title: Test Files
+  body: Test files target path with comma
+  branch: test
+  commit:
+    message: Test
+`,
+			expectedErr: errors.New("parsing batch spec: step 1 files target path contains invalid characters"),
+		},
 		{
 			name:         "mount path dot-dot traversal",
 			batchSpecDir: tempDir,
diff --git a/lib/batches/batch_spec.go b/lib/batches/batch_spec.go
@@ -169,19 +169,24 @@ func parseBatchSpec(schema string, data []byte) (*BatchSpec, error) {
 
 	for i, step := range spec.Steps {
 		for _, mount := range step.Mount {
-			if strings.Contains(mount.Path, invalidMountCharacters) {
+			if strings.ContainsAny(mount.Path, invalidMountCharacters) {
 				errs = errors.Append(errs, NewValidationError(errors.Newf("step %d mount path contains invalid characters", i+1)))
 			}
-			if strings.Contains(mount.Mountpoint, invalidMountCharacters) {
+			if strings.ContainsAny(mount.Mountpoint, invalidMountCharacters) {
 				errs = errors.Append(errs, NewValidationError(errors.Newf("step %d mount mountpoint contains invalid characters", i+1)))
 			}
 		}
+		for name := range step.Files {
+			if strings.ContainsAny(name, invalidMountCharacters) {
+				errs = errors.Append(errs, NewValidationError(errors.Newf("step %d files target path contains invalid characters", i+1)))
+			}
+		}
 	}
 
 	return &spec, errs
 }
-
-const invalidMountCharacters = ","
+// docker uses Golang's `encoding/csv` library to parse arguments passed to `--mount`
+const invalidMountCharacters = ",\"\n\r"
 
 func (on *OnQueryOrRepository) String() string {
 	if on.RepositoriesMatchingQuery != "" {

Original file line number	Diff line number	Diff line change
`@@ -169,19 +169,24 @@ func parseBatchSpec(schema string, data []byte) (*BatchSpec, error) {`
`169`	`169`
`170`	`170`	`for i, step := range spec.Steps {`
`171`	`171`	`for _, mount := range step.Mount {`
`172`		`- if strings.Contains(mount.Path, invalidMountCharacters) {`
	`172`	`+ if strings.ContainsAny(mount.Path, invalidMountCharacters) {`
`173`	`173`	`errs = errors.Append(errs, NewValidationError(errors.Newf("step %d mount path contains invalid characters", i+1)))`
`174`	`174`	`}`
`175`		`- if strings.Contains(mount.Mountpoint, invalidMountCharacters) {`
	`175`	`+ if strings.ContainsAny(mount.Mountpoint, invalidMountCharacters) {`
`176`	`176`	`errs = errors.Append(errs, NewValidationError(errors.Newf("step %d mount mountpoint contains invalid characters", i+1)))`
`177`	`177`	`}`
`178`	`178`	`}`
	`179`	`+ for name := range step.Files {`
	`180`	`+ if strings.ContainsAny(name, invalidMountCharacters) {`
	`181`	`+ errs = errors.Append(errs, NewValidationError(errors.Newf("step %d files target path contains invalid characters", i+1)))`
	`182`	`+ }`
	`183`	`+ }`
`179`	`184`	`}`
`180`	`185`
`181`	`186`	`return &spec, errs`
`182`	`187`	`}`
`183`		`-`
`184`		`-const invalidMountCharacters = ","`
	`188`	+// docker uses Golang's `encoding/csv` library to parse arguments passed to `--mount`
	`189`	`+const invalidMountCharacters = ",\"\n\r"`
`185`	`190`
`186`	`191`	`func (on *OnQueryOrRepository) String() string {`
`187`	`192`	`if on.RepositoriesMatchingQuery != "" {`