root folder for the engine/service while accessing from browser

[KrishnaPG]

In any code executed from browser, the path / stands for the website root folder (and not the machine root folder), in usual web development best / security practices.

However, the write command in juttle (while accessing from browser through remote machine) is allowing folder access at machine level root folders, which could be a security concern.

Consider this below case:

read http -url 'https://raw.githubusercontent.com/juttle/juttle-engine/master/examples/github-tutorial/github_data.json' -format 'json'
| (
    head 2; 
    tail 1)
| write file -file '/tmp/metadata.csv' -format 'csv'

I would expect the /tmp/ to be relative to the location where juttle-engine is running (or configured as website's root). However, after running the above snippet I am seeing the /tmp/metadata.csv under the machine's /tmp folder and not relative.

The below line on the other hand is creating the file in relative tmp folder (at website's root level):

write file -file 'tmp/metadata.csv' -format 'csv'

[KrishnaPG]

May be this is related to issue #69

One small difference though is: in the present case, I am running juttle-engine in deamon mode with below command, without any additional configurations or root options set.

$ juttle-engine -d -o juttle-engine.log

Besides, no matter what the config, the server (any webservice), should never allow any folder beyond its designated root folder sub-tree to be accessed and/or modified through browser supplied code. It would become a security loophole.