RUN Instruction Using 'cd' Instead of WORKDIR

• Query id: f4a6bcd3-e231-4acf-993c-aa027be50d2e
• Query name: RUN Instruction Using 'cd' Instead of WORKDIR
• Platform: Dockerfile
• Severity: Low
• Category: Build Process
• CWE: 710
• URL: Github

Description

When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM nginx
ENV AUTHOR=Docker
RUN cd /../share/nginx/html
COPY Hello_docker.html /usr/share/nginx/html
CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'

FROM nginx
ENV AUTHOR=Docker
RUN cd ../share/nginx/html
COPY Hello_docker.html /usr/share/nginx/html
CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'

FROM nginx
ENV AUTHOR=Docker
RUN cd /usr/../share/nginx/html
COPY Hello_docker.html /usr/share/nginx/html
CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM nginx
ENV AUTHOR=Docker
WORKDIR /usr/share/nginx/html
COPY Hello_docker.html /usr/share/nginx/html
CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'

Negative test num. 2 - dockerfile file

FROM nginx
ENV AUTHOR=Docker
RUN cd /usr/share/nginx/html
COPY Hello_docker.html /usr/share/nginx/html
CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'