COPY with multiple sources must end destination with /
ID |
copy_trailing_slash |
Severity |
high |
Family |
Container Security |
Tags |
dockerfile, flaw |
Description
When a COPY command has more than two arguments, the last one should end with a slash. If not, probably due to a typo, the image may end without the proper contents.
From the COPY command documentation:
"If multiple <src> resources are specified, either directly or due to the use of a wildcard, then <dest> must be a directory, and it must end with a slash /."Reference: COPY command.
Examples
# issue
COPY package.json yarn.lock my_app
# issue
COPY /app/package.json /app/yarn.lock /my_app/app
# issue, wildcard
COPY /app/package*.json /my_app/appMitigation / Fix
Add trailing slash (/) to denote a destination directory.
# this is allowed, internal use
COPY file:abcdef010203 IN /
COPY multi:abcdef010203 IN /
# fixed
COPY package.json yarn.lock my_app/
# fixed
COPY /app/package.json /app/yarn.lock /my_app/app/
# fixed
COPY /app/package*.json /my_app/app/