From db14072f400469833a48b07f9a79e2b412033d08 Mon Sep 17 00:00:00 2001 From: Greg Magolan Date: Tue, 2 Apr 2024 19:16:20 -0400 Subject: [PATCH] refactor: make unresolved_symlinks_enabled attribute of js_binary mandatory (#1571) --- docs/js_binary.md | 4 ++-- js/private/js_binary.bzl | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/js_binary.md b/docs/js_binary.md index ebbcdf8ca5..4d3de69464 100644 --- a/docs/js_binary.md +++ b/docs/js_binary.md @@ -85,7 +85,7 @@ The following environment variables are made available to the Node.js runtime ba | node_toolchain | The Node.js toolchain to use for this target.

See https://bazelbuild.github.io/rules_nodejs/Toolchains.html

Typically this is left unset so that Bazel automatically selects the right Node.js toolchain for the target platform. See https://bazel.build/extending/toolchains#toolchain-resolution for more information. | Label | optional | `None` | | patch_node_fs | Patch the to Node.js `fs` API (https://nodejs.org/api/fs.html) for this node program to prevent the program from following symlinks out of the execroot, runfiles and the sandbox.

When enabled, `js_binary` patches the Node.js sync and async `fs` API functions `lstat`, `readlink`, `realpath`, `readdir` and `opendir` so that the node program being run cannot resolve symlinks out of the execroot and the runfiles tree. When in the sandbox, these patches prevent the program being run from resolving symlinks out of the sandbox.

When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks which can lead to non-hermetic behavior. | Boolean | optional | `True` | | preserve_symlinks_main | When True, the --preserve-symlinks-main flag is passed to node.

This prevents node from following an ESM entry script out of runfiles and the sandbox. This can happen for `.mjs` ESM entry points where the fs node patches, which guard the runfiles and sandbox, are not applied. See https://github.com/aspect-build/rules_js/issues/362 for more information. Once #362 is resolved, the default for this attribute can be set to False.

This flag was added in Node.js v10.2.0 (released 2018-05-23). If your node toolchain is configured to use a Node.js version older than this you'll need to set this attribute to False.

See https://nodejs.org/api/cli.html#--preserve-symlinks-main for more information. | Boolean | optional | `True` | -| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the `--allow_unresolved_symlinks` flag (named `--experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a `config_setting` rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | optional | `False` | +| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the `--allow_unresolved_symlinks` flag (named `--experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a `config_setting` rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | required | | @@ -145,7 +145,7 @@ the contract between Bazel and a test runner. | node_toolchain | The Node.js toolchain to use for this target.

See https://bazelbuild.github.io/rules_nodejs/Toolchains.html

Typically this is left unset so that Bazel automatically selects the right Node.js toolchain for the target platform. See https://bazel.build/extending/toolchains#toolchain-resolution for more information. | Label | optional | `None` | | patch_node_fs | Patch the to Node.js `fs` API (https://nodejs.org/api/fs.html) for this node program to prevent the program from following symlinks out of the execroot, runfiles and the sandbox.

When enabled, `js_binary` patches the Node.js sync and async `fs` API functions `lstat`, `readlink`, `realpath`, `readdir` and `opendir` so that the node program being run cannot resolve symlinks out of the execroot and the runfiles tree. When in the sandbox, these patches prevent the program being run from resolving symlinks out of the sandbox.

When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks which can lead to non-hermetic behavior. | Boolean | optional | `True` | | preserve_symlinks_main | When True, the --preserve-symlinks-main flag is passed to node.

This prevents node from following an ESM entry script out of runfiles and the sandbox. This can happen for `.mjs` ESM entry points where the fs node patches, which guard the runfiles and sandbox, are not applied. See https://github.com/aspect-build/rules_js/issues/362 for more information. Once #362 is resolved, the default for this attribute can be set to False.

This flag was added in Node.js v10.2.0 (released 2018-05-23). If your node toolchain is configured to use a Node.js version older than this you'll need to set this attribute to False.

See https://nodejs.org/api/cli.html#--preserve-symlinks-main for more information. | Boolean | optional | `True` | -| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the `--allow_unresolved_symlinks` flag (named `--experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a `config_setting` rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | optional | `False` | +| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the `--allow_unresolved_symlinks` flag (named `--experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a `config_setting` rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | required | | diff --git a/js/private/js_binary.bzl b/js/private/js_binary.bzl index 3327f4d1c8..1e011b4fe1 100644 --- a/js/private/js_binary.bzl +++ b/js/private/js_binary.bzl @@ -267,8 +267,7 @@ _ATTRS = { attribute based on a `config_setting` rule. See /js/private/BUILD.bazel in rules_js for an example. """, - # TODO(2.0): make this mandatory so that downstream binary rules that inherit these attributes are required to set it - mandatory = False, + mandatory = True, ), "node_toolchain": attr.label( doc = """The Node.js toolchain to use for this target.