Get absolute path of file before checking whitelist
Issue 291 pointed out that symlink "../proc/self/mounts" in the fedora image wasn't being extracted properly and kaniko was erroring out. This is because the file path wasn't absolute so kaniko wasn't recognizing it as a whitelisted path. With this change, we first resolve a path to it's absolute path before checking the whitelist.
This commit is contained in:
Priya Wadhwa
parent
10efecbb74
commit
d8ae5618af
|
|
@ -8,6 +8,10 @@ COPY --from=0 $foopath context/b* /foo/
|
||||||
FROM second
|
FROM second
|
||||||
COPY --from=base /context/foo /new/foo
|
COPY --from=base /context/foo /new/foo
|
||||||
|
|
||||||
|
# This base image contains symlinks with relative paths to whitelisted directories
|
||||||
|
# We need to test they're extracted correctly
|
||||||
|
FROM fedora@sha256:c4cc32b09c6ae3f1353e7e33a8dda93dc41676b923d6d89afa996b421cc5aa48
|
||||||
|
|
||||||
FROM base
|
FROM base
|
||||||
ARG file
|
ARG file
|
||||||
COPY --from=second /foo ${file}
|
COPY --from=second /foo ${file}
|
||||||
|
|
|
||||||
|
|
@ -95,7 +95,11 @@ func (s *Snapshotter) snapshotFiles(f io.Writer, files []string) (bool, error) {
|
||||||
if val, ok := snapshottedFiles[file]; ok && val {
|
if val, ok := snapshottedFiles[file]; ok && val {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if util.CheckWhitelist(file) && !isBuildFile(file) {
|
whitelisted, err := util.CheckWhitelist(file)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if whitelisted && !isBuildFile(file) {
|
||||||
logrus.Infof("Not adding %s to layer, as it's whitelisted", file)
|
logrus.Infof("Not adding %s to layer, as it's whitelisted", file)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
@ -168,7 +172,11 @@ func (s *Snapshotter) snapShotFS(f io.Writer) (bool, error) {
|
||||||
|
|
||||||
// Now create the tar.
|
// Now create the tar.
|
||||||
for path, info := range memFs {
|
for path, info := range memFs {
|
||||||
if util.CheckWhitelist(path) {
|
whitelisted, err := util.CheckWhitelist(path)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if whitelisted {
|
||||||
logrus.Debugf("Not adding %s to layer, as it's whitelisted", path)
|
logrus.Debugf("Not adding %s to layer, as it's whitelisted", path)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -90,13 +90,20 @@ func GetFSFromImage(root string, img v1.Image) error {
|
||||||
logrus.Infof("Not adding %s because it was added by a prior layer", path)
|
logrus.Infof("Not adding %s because it was added by a prior layer", path)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
whitelisted, err := CheckWhitelist(path)
|
||||||
if CheckWhitelist(path) && !checkWhitelistRoot(root) {
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if whitelisted && !checkWhitelistRoot(root) {
|
||||||
logrus.Infof("Not adding %s because it is whitelisted", path)
|
logrus.Infof("Not adding %s because it is whitelisted", path)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if hdr.Typeflag == tar.TypeSymlink {
|
if hdr.Typeflag == tar.TypeSymlink {
|
||||||
if CheckWhitelist(hdr.Linkname) {
|
whitelisted, err := CheckWhitelist(hdr.Linkname)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if whitelisted {
|
||||||
logrus.Debugf("skipping symlink from %s to %s because %s is whitelisted", hdr.Linkname, path, hdr.Linkname)
|
logrus.Debugf("skipping symlink from %s to %s because %s is whitelisted", hdr.Linkname, path, hdr.Linkname)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
@ -115,7 +122,11 @@ func GetFSFromImage(root string, img v1.Image) error {
|
||||||
func DeleteFilesystem() error {
|
func DeleteFilesystem() error {
|
||||||
logrus.Info("Deleting filesystem...")
|
logrus.Info("Deleting filesystem...")
|
||||||
err := filepath.Walk(constants.RootDir, func(path string, info os.FileInfo, err error) error {
|
err := filepath.Walk(constants.RootDir, func(path string, info os.FileInfo, err error) error {
|
||||||
if CheckWhitelist(path) || ChildDirInWhitelist(path, constants.RootDir) {
|
whitelisted, err := CheckWhitelist(path)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if whitelisted || ChildDirInWhitelist(path, constants.RootDir) {
|
||||||
logrus.Debugf("Not deleting %s, as it's whitelisted", path)
|
logrus.Debugf("Not deleting %s, as it's whitelisted", path)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
@ -247,13 +258,18 @@ func checkWhiteouts(path string, whiteouts map[string]struct{}) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func CheckWhitelist(path string) bool {
|
func CheckWhitelist(path string) (bool, error) {
|
||||||
|
abs, err := filepath.Abs(path)
|
||||||
|
if err != nil {
|
||||||
|
logrus.Infof("unable to get absolute path for %s", path)
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
for _, wl := range whitelist {
|
for _, wl := range whitelist {
|
||||||
if HasFilepathPrefix(path, wl) {
|
if HasFilepathPrefix(abs, wl) {
|
||||||
return true
|
return true, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return false
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkWhitelistRoot(root string) bool {
|
func checkWhitelistRoot(root string) bool {
|
||||||
|
|
@ -313,7 +329,11 @@ func RelativeFiles(fp string, root string) ([]string, error) {
|
||||||
fullPath := filepath.Join(root, fp)
|
fullPath := filepath.Join(root, fp)
|
||||||
logrus.Debugf("Getting files and contents at root %s", fullPath)
|
logrus.Debugf("Getting files and contents at root %s", fullPath)
|
||||||
err := filepath.Walk(fullPath, func(path string, info os.FileInfo, err error) error {
|
err := filepath.Walk(fullPath, func(path string, info os.FileInfo, err error) error {
|
||||||
if CheckWhitelist(path) && !HasFilepathPrefix(path, root) {
|
whitelisted, err := CheckWhitelist(path)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if whitelisted && !HasFilepathPrefix(path, root) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -334,7 +354,11 @@ func Files(root string) ([]string, error) {
|
||||||
var files []string
|
var files []string
|
||||||
logrus.Debugf("Getting files and contents at root %s", root)
|
logrus.Debugf("Getting files and contents at root %s", root)
|
||||||
err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
|
err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
|
||||||
if CheckWhitelist(path) {
|
whitelisted, err := CheckWhitelist(path)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if whitelisted {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
files = append(files, path)
|
files = append(files, path)
|
||||||
|
|
|
||||||
|
|
@ -266,7 +266,11 @@ func Test_CheckWhitelist(t *testing.T) {
|
||||||
whitelist = original
|
whitelist = original
|
||||||
}()
|
}()
|
||||||
whitelist = tt.args.whitelist
|
whitelist = tt.args.whitelist
|
||||||
if got := CheckWhitelist(tt.args.path); got != tt.want {
|
got, err := CheckWhitelist(tt.args.path)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("error checking whitelist: %v", err)
|
||||||
|
}
|
||||||
|
if got != tt.want {
|
||||||
t.Errorf("CheckWhitelist() = %v, want %v", got, tt.want)
|
t.Errorf("CheckWhitelist() = %v, want %v", got, tt.want)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue