docker/buildx
1
0
Fork 0
mirror of https://gitea.com/Lydanne/buildx.git synced 2025-05-18 00:47:48 +08:00
Code Issues Packages Projects Releases 1 Wiki Activity

Merge pull request #2812 from crazy-max/bake-win-fs-ent

Browse Source 
bake: add wildcard to fs entitlements to allow any paths
This commit is contained in:
CrazyMax 2024-11-25 20:29:14 +01:00 committed by GitHub
commit 5ce6597c07
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 56 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
bake/entitlements.go
View File

@ -326,7 +326,14 @@ func isParentOrEqualPath(p, parent string) bool {
}
func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error) {
paths, err := evaluateToExistingPaths(paths)
set, allowAny, err := evaluatePaths(set)
if err != nil {
return nil, err
} else if allowAny {
return nil, nil
}
paths, err = evaluateToExistingPaths(paths)
if err != nil {
return nil, err
}
@ -335,11 +342,6 @@ func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error)
return nil, err
}
set, err = evaluatePaths(set)
if err != nil {
return nil, err
}
out := make([]string, 0, len(paths))
loop0:
for p := range paths {
@ -441,6 +443,27 @@ func removeCommonPaths(in, common []string) []string {
return filtered
}
func evaluatePaths(in []string) ([]string, bool, error) {
out := make([]string, 0, len(in))
allowAny := false
for _, p := range in {
if p == "*" {
allowAny = true
continue
}
v, err := filepath.Abs(p)
if err != nil {
return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
}
v, err = filepath.EvalSymlinks(v)
if err != nil {
return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
}
out = append(out, v)
}
return out, allowAny, nil
}
func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) {
m := make(map[string]struct{}, len(in))
for p := range in {

27
bake/entitlements_test.go
View File

@ -350,6 +350,33 @@ func TestValidateEntitlements(t *testing.T) {
conf: EntitlementConf{
FSRead: []string{"/"},
},
expected: EntitlementConf{
FSRead: func() []string {
// on windows root (/) is only allowed if it is the same volume as wd
if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) {
return nil
}
// if not, then escapeLink is not allowed
exp, err := evaluateToExistingPath(escapeLink)
require.NoError(t, err)
exp, err = filepath.EvalSymlinks(exp)
require.NoError(t, err)
return []string{exp}
}(),
},
},
{
name: "SecretFromEscapeLinkAllowAny",
opt: build.Options{
SecretSpecs: []*pb.Secret{
{
FilePath: escapeLink,
},
},
},
conf: EntitlementConf{
FSRead: []string{"*"},
},
expected: EntitlementConf{},
},
}

26
bake/entitlements_unix.go
View File

@ -1,26 +0,0 @@
//go:build !windows
// +build !windows
package bake
import (
"path/filepath"
"github.com/pkg/errors"
)
func evaluatePaths(in []string) ([]string, error) {
out := make([]string, 0, len(in))
for _, p := range in {
v, err := filepath.Abs(p)
if err != nil {
return nil, err
}
v, err = filepath.EvalSymlinks(v)
if err != nil {
return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
}
out = append(out, v)
}
return out, nil
}

39
bake/entitlements_windows.go
View File

@ -1,39 +0,0 @@
package bake
import (
"os"
"path/filepath"
"github.com/pkg/errors"
)
func evaluatePaths(in []string) ([]string, error) {
out := make([]string, 0, len(in))
for _, p := range in {
if p == "/" {
out = append(out, getAllVolumes()...)
continue
}
v, err := filepath.Abs(p)
if err != nil {
return nil, err
}
v, err = filepath.EvalSymlinks(v)
if err != nil {
return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
}
out = append(out, v)
}
return out, nil
}
func getAllVolumes() []string {
var volumes []string
for _, drive := range "ABCDEFGHIJKLMNOPQRSTUVWXYZ" {
p := string(drive) + ":" + string(filepath.Separator)
if _, err := os.Stat(p); !os.IsNotExist(err) {
volumes = append(volumes, p)
}
}
return volumes
}