How can I prevent directory traversal attacks in a bash script, where arguments contain directory names?
$ STAGE=$ 1 $ APP=$ 2 deploy.sh dist/ /opt/apps/"$ STAGE"/"$ APP"
$ STAGE and
$ APP variables are set from outside. An attacker could change this to an arbitrary path with "..".
I know the usual solution is to compare the directory string with the result of a function that returns the absolute path. But I couldn’t find a ready solution and don’t want to come up with my own.