feat: add sandbox symlink guards to js_binary

aspect-build · Jun 14, 2022 · 19bb590 · 19bb590
1 parent cd7dafa
commit 19bb590
Show file tree

Hide file tree

Showing 11 changed files with 1,369 additions and 9 deletions.
diff --git a/.prettierignore b/.prettierignore
@@ -1,3 +1,4 @@
 docs/
 min/
-**/pnpm-lock.yaml
+**/pnpm-lock.yaml
+js/private/node-patches/fs.js
diff --git a/e2e/npm_link_package/src/main.js b/e2e/npm_link_package/src/main.js
@@ -15,7 +15,7 @@ console.log(c.id())
 const fp = require('@e2e/lib')
 console.log('--@e2e/lib--')
 console.log(fp.id())
-const rulesFooA = require('../external/rules_foo/foo/node_modules/@aspect-test/a')
+const rulesFooA = require('../../rules_foo/foo/node_modules/@aspect-test/a')
 console.log('--rulesFooA--')
 console.log(rulesFooA.id())
 console.log(rulesFooA.idB())

diff --git a/js/private/js_binary.bzl b/js/private/js_binary.bzl
@@ -166,6 +166,14 @@ _ATTRS = {
     ),
     "_runfiles_lib": attr.label(default = "@bazel_tools//tools/bash/runfiles"),
     "_windows_constraint": attr.label(default = "@platforms//os:windows"),
+    "_node_patches_files": attr.label_list(
+        allow_files = True,
+        default = ["@aspect_rules_js//js/private/node-patches:fs.js"],
+    ),
+    "_node_patches_entry": attr.label(
+        allow_single_file = True,
+        default = "@aspect_rules_js//js/private/node-patches:register.js",
+    ),
 }
 
 _ENV_SET = """export {var}=\"{value}\""""
@@ -278,7 +286,15 @@ def _create_launcher(ctx, log_prefix_rule_set, log_prefix_rule, fixed_args = [])
     bash_launcher = _bash_launcher(ctx, entry_point_path, log_prefix_rule_set, log_prefix_rule, fixed_args)
     launcher = create_windows_native_launcher_script(ctx, bash_launcher) if is_windows else bash_launcher
 
-    all_files = output_data_files + ctx.files._runfiles_lib + [output_entry_point, bash_launcher] + ctx.toolchains["@rules_nodejs//nodejs:toolchain_type"].nodeinfo.tool_files
+    all_files = []
+    all_files.extend(output_data_files)
+    all_files.extend(ctx.files._runfiles_lib)
+    all_files.append(ctx.file._node_patches_entry)
+    all_files.extend(ctx.files._node_patches_files)
+    all_files.append(output_entry_point)
+    all_files.append(bash_launcher)
+    all_files.extend(ctx.toolchains["@rules_nodejs//nodejs:toolchain_type"].nodeinfo.tool_files)
+
     runfiles = ctx.runfiles(
         files = all_files,
         transitive_files = depset(all_files),

diff --git a/js/private/js_binary.sh.tpl b/js/private/js_binary.sh.tpl
@@ -24,12 +24,14 @@ fi
 LOG_PREFIX="{{log_prefix_rule_set}}[{{log_prefix_rule}}]"
 
 function logf_stderr {
-    local format_string="$1"
+    local format_string="$1\n"
     shift
     if [ "${STDERR_CAPTURE:-}" ]; then
-        printf "$format_string\n" "$@" >>"$STDERR_CAPTURE"
+        # shellcheck disable=SC2059
+        printf "$format_string" "$@" >>"$STDERR_CAPTURE"
     else
-        printf "$format_string\n" "$@" >&2
+        # shellcheck disable=SC2059
+        printf "$format_string" "$@" >&2
     fi
 }
 
@@ -234,11 +236,20 @@ fi
 
 if [[ "$PWD" == *"/bazel-out/"* ]]; then
     # We in runfiles
+    bazel_out="/bazel-out/"
+    rest="${PWD#*"$bazel_out"}"
+    index=$(( ${#PWD} - ${#rest} - ${#bazel_out} ))
+    if [ ${index} -lt 0 ]; then
+        printf "\nERROR: %s: No 'bazel-out' folder found in path '${PWD}'\n" "$LOG_PREFIX" >&2
+        exit 1
+    fi
+    execroot="${PWD:0:$index}"
     node="$PWD/{{node}}"
     entry_point="$PWD/{{entry_point_path}}"
 else
     # We are in execroot or in some other context all together such as a nodejs_image or a manually
     # run js_binary.
+    execroot="$PWD"
     node="$RUNFILES/{{workspace_name}}/{{node}}"
     entry_point="$RUNFILES/{{workspace_name}}/{{entry_point_path}}"
     if [ -z "${BAZEL_BINDIR:-}" ]; then
@@ -268,11 +279,13 @@ if [ ! -f "$entry_point" ]; then
     exit 1
 fi
 
+# Change directory to user specified package if set
 if [ "${JS_BINARY__CHDIR:-}" ]; then
     logf_debug "changing directory to user specified package %s" "$JS_BINARY__CHDIR"
     cd "$JS_BINARY__CHDIR"
 fi
 
+# Gather node options
 NODE_OPTIONS=()
 {{node_options}}
 
@@ -287,6 +300,13 @@ for ARG in ${ALL_ARGS[@]+"${ALL_ARGS[@]}"}; do
     esac
 done
 
+# Run node patches if needed
+export JS_BINARY__FS_PATH_ROOTS="$execroot:$RUNFILES"
+if [ -z "${JS_BINARY__DISABLE_NODE_PATCHES:-}" ] && [ "${JS_BINARY__FS_PATH_ROOTS:-}" ]; then
+    logf_debug "adding node fs patches with roots: %s" "$JS_BINARY__FS_PATH_ROOTS"
+    NODE_OPTIONS+=( "--require" "$RUNFILES/aspect_rules_js/js/private/node-patches/register" )
+fi
+
 # Put bazel managed node on the path
 PATH="$(dirname "$node"):$PATH"
 export PATH

diff --git a/js/private/node-patches/BUILD.bazel b/js/private/node-patches/BUILD.bazel
@@ -0,0 +1,13 @@
+load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files")
+
+write_source_files(
+    name = "checked_in_compile",
+    files = {
+        "fs.js": "//js/private/node-patches/src:fs-generated.js",
+    },
+)
+
+exports_files([
+    "fs.js",
+    "register.js",
+])