Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

history, build: add pre-allowed variables e.g proxy vars to history if explicitly specified #3782

Merged
merged 1 commit into from
Feb 15, 2022
Merged

history, build: add pre-allowed variables e.g proxy vars to history if explicitly specified #3782

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 47 additions & 16 deletions imagebuildah/stage_executor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"github.com/containers/buildah/pkg/parse"
"github.com/containers/buildah/pkg/rusage"
"github.com/containers/buildah/util"
config "github.com/containers/common/pkg/config"
cp "github.com/containers/image/v5/copy"
"github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/manifest"
Expand Down Expand Up @@ -49,21 +50,22 @@ import (
// If we're naming the result of the build, only the last stage will apply that
// name to the image that it produces.
type StageExecutor struct {
ctx context.Context
executor *Executor
log func(format string, args ...interface{})
index int
stages imagebuilder.Stages
name string
builder *buildah.Builder
preserved int
volumes imagebuilder.VolumeSet
volumeCache map[string]string
volumeCacheInfo map[string]os.FileInfo
mountPoint string
output string
containerIDs []string
stage *imagebuilder.Stage
ctx context.Context
executor *Executor
log func(format string, args ...interface{})
index int
stages imagebuilder.Stages
name string
builder *buildah.Builder
preserved int
volumes imagebuilder.VolumeSet
volumeCache map[string]string
volumeCacheInfo map[string]os.FileInfo
mountPoint string
output string
containerIDs []string
stage *imagebuilder.Stage
argsFromContainerfile []string
}

// Preserve informs the stage executor that from this point on, it needs to
Expand Down Expand Up @@ -1228,6 +1230,11 @@ func (s *StageExecutor) getCreatedBy(node *parser.Node, addedContentSummary stri
}
switch strings.ToUpper(node.Value) {
case "ARG":
for _, variable := range strings.Fields(node.Original) {
if variable != "ARG" {
s.argsFromContainerfile = append(s.argsFromContainerfile, variable)
}
}
buildArgs := s.getBuildArgsKey()
return "/bin/sh -c #(nop) ARG " + buildArgs
case "RUN":
Expand Down Expand Up @@ -1271,7 +1278,31 @@ func (s *StageExecutor) getBuildArgsResolvedForRun() string {
if inImage {
envs = append(envs, fmt.Sprintf("%s=%s", key, configuredEnvs[key]))
} else {
envs = append(envs, fmt.Sprintf("%s=%s", key, value))
// By default everything must be added to history.
// Following variable is configured to false only for special cases.
addToHistory := true

// Following value is being assigned from build-args,
// check if this key belongs to any of the predefined allowlist args e.g Proxy Variables
// and if that arg is not manually set in Containerfile/Dockerfile
// then don't write its value to history.
// Following behaviour ensures parity with docker/buildkit.
for _, variable := range config.ProxyEnv {
if key == variable {
// found in predefined args
// so don't add to history
// unless user did explicit `ARG <some-predefined-proxy-variable>`
addToHistory = false
for _, processedArg := range s.argsFromContainerfile {
if key == processedArg {
addToHistory = true
}
}
}
}
if addToHistory {
envs = append(envs, fmt.Sprintf("%s=%s", key, value))
}
}
}
}
Expand Down
34 changes: 34 additions & 0 deletions tests/history.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,3 +108,37 @@ function testconfighistory() {
run_buildah inspect --format '{{range .Docker.History}}{{println .CreatedBy}}{{end}}' runimg
expect_output --substring "/bin/sh -c uname -a"
}

@test "history should not contain vars in allowlist unless set in ARG" {
_prefetch busybox
ctxdir=${TESTDIR}/bud
mkdir -p $ctxdir
cat >$ctxdir/Dockerfile <<EOF
FROM busybox
RUN echo \$HTTP_PROXY
EOF

run_buildah build --signature-policy ${TESTSDIR}/policy.json -t test --build-arg HTTP_PROXY="helloworld" ${ctxdir}
expect_output --substring 'helloworld'
run_buildah inspect --format '{{range .Docker.History}}{{println .CreatedBy}}{{end}}' test
# history should not contain value for HTTP_PROXY since it was not in Containerfile
assert "$output" !~ 'HTTP_PROXY=helloworld'
assert "$output" !~ 'helloworld'
}

@test "history should contain vars in allowlist when set in ARG" {
_prefetch busybox
ctxdir=${TESTDIR}/bud
mkdir -p $ctxdir
cat >$ctxdir/Dockerfile <<EOF
FROM busybox
ARG HTTP_PROXY
RUN echo \$HTTP_PROXY
EOF

run_buildah build --signature-policy ${TESTSDIR}/policy.json -t test --build-arg HTTP_PROXY="helloworld" ${ctxdir}
expect_output --substring 'helloworld'
run_buildah inspect --format '{{range .Docker.History}}{{println .CreatedBy}}{{end}}' test
# history should not contain value for HTTP_PROXY since it was not in Containerfile
expect_output --substring 'HTTP_PROXY=helloworld'
}