feat: add execroot & runfiles symlink guards to js_binary #133
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gregmagolan
force-pushed
the
symlink_guards
branch
11 times, most recently
from
7b7c6c8 to
4a76052
Compare
gregmagolan
force-pushed
the
symlink_guards
branch
from
4a76052 to
dacb4c5
Compare
gregmagolan
force-pushed
the
symlink_guards
branch
4 times, most recently
from
3d9e566 to
89eb420
Compare
gregmagolan
force-pushed
the
symlink_guards
branch
7 times, most recently
from
dd68379 to
c7d9971
Compare
gregmagolan
changed the title
gregmagolan
changed the title
alexeagle
reviewed
Jun 13, 2022
gregmagolan
force-pushed
the
symlink_guards
branch
3 times, most recently
from
0faad7c to
2b133a2
Compare
gregmagolan
changed the title
gregmagolan
force-pushed
the
symlink_guards
branch
2 times, most recently
from
19bb590 to
2ec930e
Compare
gregmagolan
force-pushed
the
symlink_guards
branch
from
2ec930e to
7717b25
Compare
Done. Brought unit tests in from rules_nodejs for the patches |
alexeagle
approved these changes
Jun 14, 2022
| @@ -15,7 +15,7 @@ console.log(c.id()) | |||
| const fp = require('@e2e/lib') | |||
| console.log('--@e2e/lib--') | |||
| console.log(fp.id()) | |||
| const rulesFooA = require('../external/rules_foo/foo/node_modules/@aspect-test/a') | |||
| const rulesFooA = require('../../rules_foo/foo/node_modules/@aspect-test/a') | |||
There was a problem hiding this comment.
yea, the path here is runfiles relative for this test. no legacy external runfiles :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #114
The fs patches here have been modified from their original implementation in rules_nodejs https://github.com/bazelbuild/rules_nodejs/blob/173a0252f273de48a6a237518e9cb0d9854cb8e6/packages/node-patches/src/fs.ts.
The have been improved to allow following symlinks within the sandbox, which is required for finding deps in a symlinks node_modules structure. Since the sandbox (on macos) is a tree of symlinks that all point back to their counterparts outside of the sandbox, the old implementation prevented following symlinks entirely (akin to passing `--preserve-symlinks) since every follow was an escape from the guarded sandbox.
In this implementation, if the readlink escape is a symlink to a symlink then we readlink the escaped symlink. For lstat we do the same. For realpath, if we the relative path from the link to the realpath can be remapped into the escaped root then it is.
In rules_js, the guards are setup to protect the execroot (which protects the sandbox when there is one and protects from escaping into the source tree when there isn't) and to protect the runfiles tree for the js_binary in the build, test or run target since that is a symlink tree as well. This is simpler than what was done in rules_nodejs which was to protect all of the dynamically linked node_modules trees.