fix: don't run arbitrary commands with script

* scripts are now called with their absolute paths instead of ./

config/recipe.yml

@@ -5,16 +5,16 @@ image-version: 38
 
 modules:
   - type: script
-    run: # commands directly run inside scripts directory
+    scripts:
-      - ./autorun.sh pre
+      - autorun.sh pre
   
   - from-file: common-packages.yml # paths relative to "config" directory
 
   - type: script
-    run:
+    scripts:
       # this sets up the proper policy & signing files for signed images to work
-      - ./signing.sh 
+      - signing.sh 
-      - ./autorun.sh post
+      - autorun.sh post
 
 
   - type: yafti # no need for an enable-disable key, inclusion implicitly enables

modules/script/script.sh

@@ -3,13 +3,13 @@
 # Tell build process to exit if there are any errors.
 set -oue pipefail
 
-get_yaml_array RUN '.run[]' "$1"
+get_yaml_array SCRIPTS '.scripts[]' "$1"
 
 cd "$CONFIG_DIRECTORY/scripts"
 
 find "$PWD" -type f -exec chmod +x {} \;
 
-for CMD in "${RUN[@]}"; do
+for SCRIPT in "${SCRIPTS[@]}"; do
-    echo "Running command: $CMD"
+    echo "Running script $SCRIPT"
-    eval "$CMD"
+    eval "$PWD/$SCRIPT"
 done