From 61be56a09b2081fcfa652c1c45750afc901e5c6e Mon Sep 17 00:00:00 2001 From: Aditya R Date: Thu, 27 Oct 2022 12:45:22 +0530 Subject: [PATCH] remote,build: error if containerignore is symlink Drop support for remote use-cases when `.containerignore` or `.dockerignore` is a symlink pointing to arbitrary location on host. Signed-off-by: Aditya R --- pkg/bindings/images/build.go | 24 +++++++++++++++++-- .../containerignore-symlink/.dockerignore | 1 + .../build/containerignore-symlink/Dockerfile | 2 ++ test/e2e/build/containerignore-symlink/hello | 0 test/e2e/build/containerignore-symlink/world | 0 test/e2e/build_test.go | 14 +++++++++++ 6 files changed, 39 insertions(+), 2 deletions(-) create mode 120000 test/e2e/build/containerignore-symlink/.dockerignore create mode 100644 test/e2e/build/containerignore-symlink/Dockerfile create mode 100644 test/e2e/build/containerignore-symlink/hello create mode 100644 test/e2e/build/containerignore-symlink/world diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index f8552cddb354..aabc7290de87 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -743,11 +743,31 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) { return rc, nil } +func errIfSymlink(path string) error { + pathInfo, err := os.Lstat(path) + if err == nil { + if pathInfo.Mode()&os.ModeSymlink == os.ModeSymlink { + return fmt.Errorf("%s cannot be a symlink", path) + } + } + return nil +} + func parseDockerignore(root string) ([]string, error) { - ignore, err := os.ReadFile(filepath.Join(root, ".containerignore")) + path := filepath.Join(root, ".containerignore") + err := errIfSymlink(path) + if err != nil { + return nil, err + } + ignore, err := os.ReadFile(path) if err != nil { var dockerIgnoreErr error - ignore, dockerIgnoreErr = os.ReadFile(filepath.Join(root, ".dockerignore")) + path = filepath.Join(root, ".dockerignore") + symlinkErr := errIfSymlink(path) + if symlinkErr != nil { + return nil, symlinkErr + } + ignore, dockerIgnoreErr = os.ReadFile(path) if dockerIgnoreErr != nil && !os.IsNotExist(dockerIgnoreErr) { return nil, err } diff --git a/test/e2e/build/containerignore-symlink/.dockerignore b/test/e2e/build/containerignore-symlink/.dockerignore new file mode 120000 index 000000000000..7ec132580625 --- /dev/null +++ b/test/e2e/build/containerignore-symlink/.dockerignore @@ -0,0 +1 @@ +/tmp/private_file \ No newline at end of file diff --git a/test/e2e/build/containerignore-symlink/Dockerfile b/test/e2e/build/containerignore-symlink/Dockerfile new file mode 100644 index 000000000000..0f64ccd18650 --- /dev/null +++ b/test/e2e/build/containerignore-symlink/Dockerfile @@ -0,0 +1,2 @@ +FROM alpine +COPY / /dir diff --git a/test/e2e/build/containerignore-symlink/hello b/test/e2e/build/containerignore-symlink/hello new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/test/e2e/build/containerignore-symlink/world b/test/e2e/build/containerignore-symlink/world new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/test/e2e/build_test.go b/test/e2e/build_test.go index 0f6cb2a10d9b..745b1efed913 100644 --- a/test/e2e/build_test.go +++ b/test/e2e/build_test.go @@ -412,6 +412,20 @@ RUN find /test`, ALPINE) Expect(session.OutputToString()).To(ContainSubstring("/test/dummy")) }) + It("podman remote build must not allow symlink for ignore files", func() { + if IsRemote() { + podmanTest.StopRemoteService() + podmanTest.StartRemoteService() + } else { + Skip("Only valid at remote test") + } + + session := podmanTest.Podman([]string{"build", "--pull-never", "-t", "test", "build/containerignore-symlink/"}) + session.WaitWithDefaultTimeout() + Expect(session).To(ContainSubstring(".dockerignore cannot be a symlink")) + Expect(session).Should(Exit(125)) + }) + It("podman remote test container/docker file is not at root of context dir", func() { if IsRemote() { podmanTest.StopRemoteService()