Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
entrypoint-aws-batch: Keep ../ path parts in ZIP archive members duri…
…ng extraction The default of stripping ../ parts in member paths is a (good!) restriction for safety and security, but such paths do not pose any (additional) risk in the context of our Nextstrain runtime containers. We're already downloading and executing arbitrary user-supplied code, so the ability to overwrite system files with ZIP archive members is not any additional privilege. Keeping the ../ parts will allow Nextstrain CLI to construct ZIP archives for jobs which write to sibling paths of /nextstrain/build in the container. This will be used for including pathogen workflow source separate (e.g. in /nextstrain/pathogen) from the analysis working directory (/nextstrain/build). As a side-effect, thanks to the -o (overwrite) option, this will also allow Nextstrain CLI's --augur, --auspice, etc. overlays to start working with AWS Batch when previously they did not. Note that Nextstrain CLI does *not* permit ../ path parts when extracting from these same ZIP archives (e.g. after a job completes to download results), as that *would* be additional risk. Currently it strips ../ parts, like unzip's default behaviour, but that will change soon to entirely skip archive members containing ../ parts.
- Loading branch information