bake: add wildcard to fs entitlements to allow any paths

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2025-08-02 00:28:04 +08:00 · 2024-11-22 13:41:03 +01:00
parent d612139b19
commit 9c75071793
4 changed files with 56 additions and 71 deletions
--- a/bake/entitlements_test.go
+++ b/bake/entitlements_test.go
@@ -350,6 +350,33 @@ func TestValidateEntitlements(t *testing.T) {
 			conf: EntitlementConf{
 				FSRead: []string{"/"},
 			},
+			expected: EntitlementConf{
+				FSRead: func() []string {
+					// on windows root (/) is only allowed if it is the same volume as wd
+					if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) {
+						return nil
+					}
+					// if not, then escapeLink is not allowed
+					exp, err := evaluateToExistingPath(escapeLink)
+					require.NoError(t, err)
+					exp, err = filepath.EvalSymlinks(exp)
+					require.NoError(t, err)
+					return []string{exp}
+				}(),
+			},
+		},
+		{
+			name: "SecretFromEscapeLinkAllowAny",
+			opt: build.Options{
+				SecretSpecs: []*pb.Secret{
+					{
+						FilePath: escapeLink,
+					},
+				},
+			},
+			conf: EntitlementConf{
+				FSRead: []string{"*"},
+			},
 			expected: EntitlementConf{},
 		},
 	}