Changing Default Shell Using RUN Command
- Query id: 8a301064-c291-4b20-adcb-403fe7fd95fd
- Query name: Changing Default Shell Using RUN Command
- Platform: Dockerfile
- Severity: Medium
- Category: Best Practices
- CWE: 710
- URL: Github
Description¶
Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
RUN ln -sfv /bin/bash /bin/sh
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Positive test num. 2 - dockerfile file
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
RUN powershell -command
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["/bin/bash", "-c"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Negative test num. 2 - dockerfile file
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["cmd", "/S", "/C"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Negative test num. 3 - dockerfile file
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["powershell", "-command"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Negative test num. 4 - dockerfile file
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["/bin/sh", "-c"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]