public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

add /tmp/apt-key to whitelist for Dockerfiles which use command

This commit is contained in:
Tejal Desai 2020-01-24 15:54:44 -08:00
parent a2aae6274d
commit 5951d9b0ee
3 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/snapshot/layered_map.go
View File

@ -20,11 +20,13 @@ import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"fmt" "fmt"
"os"
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/GoogleContainerTools/kaniko/pkg/timing" "github.com/GoogleContainerTools/kaniko/pkg/timing"
"github.com/GoogleContainerTools/kaniko/pkg/util" "github.com/GoogleContainerTools/kaniko/pkg/util"
"github.com/sirupsen/logrus"
) )
type LayeredMap struct { type LayeredMap struct {
@ -113,13 +115,18 @@ func (l *LayeredMap) Add(s string) error {
// from the current layered map by its hashing function. // from the current layered map by its hashing function.
// Returns true if the file is changed. // Returns true if the file is changed.
func (l *LayeredMap) CheckFileChange(s string) (bool, error) { func (l *LayeredMap) CheckFileChange(s string) (bool, error) {
oldV, ok := l.Get(s)
t := timing.Start("Hashing files") t := timing.Start("Hashing files")
defer timing.DefaultRun.Stop(t) defer timing.DefaultRun.Stop(t)
newV, err := l.hasher(s) newV, err := l.hasher(s)
if err != nil { if err != nil {
// if this file does not exist in the new layer return.
if os.IsNotExist(err) {
logrus.Tracef("%s detected as changed but does not exist", s)
return false, nil
}
return false, err return false, err
} }
oldV, ok := l.Get(s)
if ok && newV == oldV { if ok && newV == oldV {
return false, nil return false, nil
} }

19
pkg/util/fs_util.go
View File

@ -26,6 +26,7 @@ import (
"net/http" "net/http"
"os" "os"
"path/filepath" "path/filepath"
"regexp"
"strings" "strings"
"syscall" "syscall"
"time" "time"
@ -61,6 +62,12 @@ var initialWhitelist = []WhitelistEntry{
Path: "/etc/mtab", Path: "/etc/mtab",
PrefixMatchOnly: false, PrefixMatchOnly: false,
}, },
{
// we whitelist /tmp/apt-key-gpghome, since the apt keys are added temporarily in this directory.
// from the base image
Path: "/tmp/apt-key-gpghome",
PrefixMatchOnly: true,
},
} }
var whitelist = initialWhitelist var whitelist = initialWhitelist
@ -674,7 +681,7 @@ func excludeFile(path, buildcontext string) bool {
return match return match
} }
// HasFilepathPrefix checks if the given file path begins with prefix // HasFilepathPrefix checks if the given file path begins with prefix
func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool { func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
prefix = filepath.Clean(prefix) prefix = filepath.Clean(prefix)
prefixArray := strings.Split(prefix, "/") prefixArray := strings.Split(prefix, "/")
@ -687,11 +694,15 @@ func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
if prefixMatchOnly && len(pathArray) == len(prefixArray) { if prefixMatchOnly && len(pathArray) == len(prefixArray) {
return false return false
} }
for index := range prefixArray { for index := range prefixArray {
if prefixArray[index] == pathArray[index] { m, err := regexp.MatchString(prefixArray[index], pathArray[index])
continue if err != nil {
return false
}
if !m {
return false
} }
return false
} }
return true return true
} }

8
pkg/util/fs_util_test.go
View File

@ -259,6 +259,14 @@ func Test_CheckWhitelist(t *testing.T) {
}, },
want: false, want: false,
}, },
{
name: "prefix match only ",
args: args{
path: "/tmp/apt-key-gpghome.xft/gpg.key",
whitelist: []WhitelistEntry{{"/tmp/apt-key-gpghome.*", true}},
},
want: true,
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {