Potential Risk with Makefile's install Target

[pingcto]

Potential Risk with Makefile's install Target

Hello Uguu maintainers and community,
While setting up Uguu on a server, I noticed a potential risk in the Makefile that could lead to unintentional data loss if certain conditions are met.

Issue:

The install target in the Makefile contains the following command:

rm -rf $(DESTDIR)/*

The DESTDIR variable is set by reading the .dest key from the config.json file:

DESTDIR = $(shell $(CURDIR)/$(NODEJQ) -r ".dest" $(CURDIR)/$(CONF))

If for any reason the .dest key is missing from the config.json or if it's set to an empty value, the DESTDIR variable would be empty. This would cause the rm -rf $(DESTDIR)/* command to translate to:

rm -rf /*

• This command WILL recursively delete everything from the root directory (/) downwards.

• This command will delete your entire file system, and render your machine unusable.

Potential Impact:

- Unintentional deletion of the entire filesystem.

- Loss of data and system instability.

- Potential server downtime and recovery efforts.

Recommendation:

• Add a safety check in the Makefile to ensure that DESTDIR is always set to a non-empty value before proceeding with any operations that use it.
• Consider adding a warning or prompt before executing potentially destructive commands, giving the user a chance to review and confirm their actions.
• It might also be beneficial to have a default value for DESTDIR that resides within the Uguu directory structure to prevent accidental operations outside the intended directory.

I hope this information helps in improving the safety and robustness of the Uguu setup process.

Thank you for your hard work on this project, and I look forward to any feedback or discussions on this matter.

[nokonoko]

Hi!

This has been fixed in v.1.7.6 by defaulting to "dist" if value is empty.

Thank you for reporting this.