Fixes a whitelist issue when untarring files in ADD commands.

GoogleContainerTools · Sep 27, 2018 · 86dd272 · 86dd272
1 parent 1a13c81
commit 86dd272
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 18 deletions.
diff --git a/integration/context/tars/sys.tar.gz b/integration/context/tars/sys.tar.gz
diff --git a/integration/dockerfiles/Dockerfile_test_add b/integration/dockerfiles/Dockerfile_test_add
@@ -14,6 +14,10 @@ ADD $contextenv/* /tmp/${contextenv}/
 ADD context/tars/fil* /tars/
 ADD context/tars/file.tar /tars_again
 
+# This tar has some directories that should be whitelisted inside it.
+
+ADD context/tars/sys.tar.gz /
+
 # Test with ARG
 ARG file
 COPY $file /arg

diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go
@@ -86,24 +86,6 @@ func GetFSFromImage(root string, img v1.Image) ([]string, error) {
 				}
 				continue
 			}
-			whitelisted, err := CheckWhitelist(path)
-			if err != nil {
-				return nil, err
-			}
-			if whitelisted && !checkWhitelistRoot(root) {
-				logrus.Debugf("Not adding %s because it is whitelisted", path)
-				continue
-			}
-			if hdr.Typeflag == tar.TypeSymlink {
-				whitelisted, err := CheckWhitelist(hdr.Linkname)
-				if err != nil {
-					return nil, err
-				}
-				if whitelisted {
-					logrus.Debugf("skipping symlink from %s to %s because %s is whitelisted", hdr.Linkname, path, hdr.Linkname)
-					continue
-				}
-			}
 			if err := extractFile(root, hdr, tr); err != nil {
 				return nil, err
 			}
@@ -176,6 +158,15 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader) error {
 	mode := hdr.FileInfo().Mode()
 	uid := hdr.Uid
 	gid := hdr.Gid
+
+	whitelisted, err := CheckWhitelist(path)
+	if err != nil {
+		return err
+	}
+	if whitelisted && !checkWhitelistRoot(dest) {
+		logrus.Debugf("Not adding %s because it is whitelisted", path)
+		return nil
+	}
 	switch hdr.Typeflag {
 	case tar.TypeReg:
 		logrus.Debugf("creating file %s", path)
@@ -223,6 +214,14 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader) error {
 
 	case tar.TypeLink:
 		logrus.Debugf("link from %s to %s", hdr.Linkname, path)
+		whitelisted, err := CheckWhitelist(hdr.Linkname)
+		if err != nil {
+			return err
+		}
+		if whitelisted {
+			logrus.Debugf("skipping symlink from %s to %s because %s is whitelisted", hdr.Linkname, path, hdr.Linkname)
+			return nil
+		}
 		// The base directory for a link may not exist before it is created.
 		if err := os.MkdirAll(dir, 0755); err != nil {
 			return err