security: validate batch spec mount name

[cbrnrd]

Problem

step.Mount paths are validated to reject commas (via invalidMountCharacters), but step.Files keys are not, even though both end up interpolated into Docker --mount arguments in run_steps.go:

fmt.Sprintf("type=bind,source=%s,target=%s,ro", source.Name(), target)

A malicious batch spec could exploit this by using a files key containing commas to inject additional mount parameters:

steps:
  - files:
      "/tmp/x,source=/var/run/docker.sock,target=/var/run/docker.sock": "IGNORED"

This produces a --mount argument where the injected source= and target= values override the legitimate ones, potentially mounting arbitrary host paths (e.g., the Docker socket) into the container.

Solution

Add the same comma validation to step.Files keys that already exists for step.Mount paths and mountpoints. This will reject any files target path containing commas during batch spec parsing.

[keegancsmith]

So according to https://ampcode.com/threads/T-019d4fb2-9f9c-7675-9802-e4dc35a15d4f docker just uses golangs encoding/csv to parse this argument.

As such you should also reject ". An attacker could use that as well. I think newlines and carriage return could also be used to bypass protections.

Alternatively we could encode the argument value using encoding/csv.