From dc97fa42015335ee46a84aa12f4d54621c70e64d Mon Sep 17 00:00:00 2001
From: ER <eino.rauhala@proton.me>
Date: Sun, 13 Aug 2023 18:36:49 +0300
Subject: [PATCH] fix: don't run arbitrary commands with script * scripts are
 now called with their absolute paths instead of ./

---
 config/recipe.yml        | 10 +++++-----
 modules/script/script.sh |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/recipe.yml b/config/recipe.yml
index 53684aea9e..327a9d7379 100644
--- a/config/recipe.yml
+++ b/config/recipe.yml
@@ -5,16 +5,16 @@ image-version: 38
 
 modules:
   - type: script
-    run: # commands directly run inside scripts directory
-      - ./autorun.sh pre
+    scripts:
+      - autorun.sh pre
   
   - from-file: common-packages.yml # paths relative to "config" directory
 
   - type: script
-    run:
+    scripts:
       # this sets up the proper policy & signing files for signed images to work
-      - ./signing.sh 
-      - ./autorun.sh post
+      - signing.sh 
+      - autorun.sh post
 
 
   - type: yafti # no need for an enable-disable key, inclusion implicitly enables
diff --git a/modules/script/script.sh b/modules/script/script.sh
index ac76171755..3290f02d08 100644
--- a/modules/script/script.sh
+++ b/modules/script/script.sh
@@ -3,13 +3,13 @@
 # Tell build process to exit if there are any errors.
 set -oue pipefail
 
-get_yaml_array RUN '.run[]' "$1"
+get_yaml_array SCRIPTS '.scripts[]' "$1"
 
 cd "$CONFIG_DIRECTORY/scripts"
 
 find "$PWD" -type f -exec chmod +x {} \;
 
-for CMD in "${RUN[@]}"; do
-    echo "Running command: $CMD"
-    eval "$CMD"
+for SCRIPT in "${SCRIPTS[@]}"; do
+    echo "Running script $SCRIPT"
+    eval "$PWD/$SCRIPT"
 done
\ No newline at end of file