Skip to content

Add support for docker-compose run to the ssh option #5637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
schlessera merged 7 commits into from
Oct 12, 2022
Merged

Add support for docker-compose run to the ssh option #5637

schlessera merged 7 commits into from
Oct 12, 2022

Conversation

@johnbillion
Copy link
Contributor

@johnbillion johnbillion commented May 5, 2022
edited
Loading

The docker: and docker-compose: schemes for the ssh option are useful, but they only work when the target container is already running and therefore supports running a shell command via docker[-compose] exec.

Some environments, for example the wordpress-develop local development environment, run WP-CLI via a container that only starts when needed and therefore requires the use of run instead of exec. The ssh option in WP-CLI doesn't currently support running commands in a container in this manner.

The change in this PR introduces support for a docker-compose-run scheme for the ssh option which runs the command via docker compose run <container> <cmd>.

With this support in place you could put the following config into the root of any project that uses wordpressdevelop/cli and then simply use wp <cmd> instead of npm run env:cli -- <cmd> or docker-compose run cli -- <cmd>.

# wp-cli.yml
ssh: docker-compose-run:cli

You'll note that the command needs to be constructed differently to all the other schemes supported by the ssh option, crucially that the command cannot be wrapped in escapeshellarg() because docker-compose run <container> <cmd> doesn't support the command being quoted. I am honestly not sure of the security implications of this, we might need to consult someone a bit more familiar with the internals of sending commands via run.

Feedback welcome.

@johnbillion johnbillion requested a review from a team as a code owner May 5, 2022 18:22
danielbachhuber
danielbachhuber approved these changes Aug 18, 2022
View reviewed changes
Copy link
Member

@danielbachhuber danielbachhuber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine to me!

You'll note that the command needs to be constructed differently to all the other schemes supported by the ssh option, crucially that the command cannot be wrapped in escapeshellarg() because docker-compose run <container> <cmd> doesn't support the command being quoted.

My understanding is that escapeshellarg() is primary for escaping user-supplied input to a hard-coded command. escapeshellarg() is meant to prevent them from escaping the hard-coded command and running their own arbitrary command.

In this case, we're running the user's full command under their user credentials, so there isn't anything new they can do with this vector.

@schlessera schlessera added this to the 2.7.0 milestone Oct 12, 2022
@schlessera schlessera merged commit c651e20 into wp-cli:master Oct 12, 2022
@johnbillion johnbillion deleted the docker-run branch October 12, 2022 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielbachhuber danielbachhuber danielbachhuber approved these changes

@schlessera schlessera schlessera approved these changes

Assignees

No one assigned

Labels

scope:framework

Projects

None yet

Milestone

2.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@johnbillion @danielbachhuber @schlessera