diff --git a/frontend/dockerfile/dockerfile2llb/convert.go b/frontend/dockerfile/dockerfile2llb/convert.go index 8cec181ed5a1..bb21476c936f 100644 --- a/frontend/dockerfile/dockerfile2llb/convert.go +++ b/frontend/dockerfile/dockerfile2llb/convert.go @@ -1202,31 +1202,13 @@ func normalizeContextPaths(paths map[string]struct{}) []string { if p == "/" { return nil } - pathSlice = append(pathSlice, p) + pathSlice = append(pathSlice, path.Join(".", p)) } - toDelete := map[string]struct{}{} - for i := range pathSlice { - for j := range pathSlice { - if i == j { - continue - } - if strings.HasPrefix(pathSlice[j], pathSlice[i]+"/") { - delete(paths, pathSlice[j]) - } - } - } - - toSort := make([]string, 0, len(paths)) - for p := range paths { - if _, ok := toDelete[p]; !ok { - toSort = append(toSort, path.Join(".", p)) - } - } - sort.Slice(toSort, func(i, j int) bool { - return toSort[i] < toSort[j] + sort.Slice(pathSlice, func(i, j int) bool { + return pathSlice[i] < pathSlice[j] }) - return toSort + return pathSlice } func proxyEnvFromBuildArgs(args map[string]string) *llb.ProxyEnv { diff --git a/frontend/dockerfile/dockerfile_test.go b/frontend/dockerfile/dockerfile_test.go index 5a2b28855e65..e5b711229f81 100644 --- a/frontend/dockerfile/dockerfile_test.go +++ b/frontend/dockerfile/dockerfile_test.go @@ -113,6 +113,7 @@ var fileOpTests = []integration.Test{ testWorkdirUser, testWorkdirExists, testWorkdirCopyIgnoreRelative, + testCopyFollowAllSymlinks, } var securityTests = []integration.Test{} @@ -1392,6 +1393,46 @@ COPY foo / require.Equal(t, len(du), len(du2)) } +// #1197 +func testCopyFollowAllSymlinks(t *testing.T, sb integration.Sandbox) { + f := getFrontend(t, sb) + isFileOp := getFileOp(t, sb) + + dockerfile := []byte(` +FROM scratch +COPY foo / +COPY foo/sub bar +`) + + dir, err := tmpdir( + fstest.CreateFile("Dockerfile", dockerfile, 0600), + fstest.CreateFile("bar", []byte(`bar-contents`), 0600), + fstest.CreateDir("foo", 0700), + fstest.Symlink("../bar", "foo/sub"), + ) + require.NoError(t, err) + defer os.RemoveAll(dir) + + c, err := client.New(context.TODO(), sb.Address()) + require.NoError(t, err) + defer c.Close() + + destDir, err := ioutil.TempDir("", "buildkit") + require.NoError(t, err) + defer os.RemoveAll(destDir) + + _, err = f.Solve(context.TODO(), c, client.SolveOpt{ + FrontendAttrs: map[string]string{ + "build-arg:BUILDKIT_DISABLE_FILEOP": strconv.FormatBool(!isFileOp), + }, + LocalDirs: map[string]string{ + builder.DefaultLocalNameDockerfile: dir, + builder.DefaultLocalNameContext: dir, + }, + }, nil) + require.NoError(t, err) +} + func testCopySymlinks(t *testing.T, sb integration.Sandbox) { f := getFrontend(t, sb) isFileOp := getFileOp(t, sb) diff --git a/session/sshforward/ssh.go b/session/sshforward/ssh.go index 0001f59b5fff..a7a4c2e228a3 100644 --- a/session/sshforward/ssh.go +++ b/session/sshforward/ssh.go @@ -75,6 +75,10 @@ func MountSSHSocket(ctx context.Context, c session.Caller, opt SocketOpt) (sockP } }() + if err := os.Chmod(dir, 0711); err != nil { + return "", nil, errors.WithStack(err) + } + sockPath = filepath.Join(dir, "ssh_auth_sock") l, err := net.Listen("unix", sockPath) diff --git a/solver/llbsolver/ops/exec.go b/solver/llbsolver/ops/exec.go index aa2d6faf27b8..324b442d6bc5 100644 --- a/solver/llbsolver/ops/exec.go +++ b/solver/llbsolver/ops/exec.go @@ -525,7 +525,7 @@ func (sm *secretMountInstance) Mount() ([]mount.Mount, func() error, error) { return []mount.Mount{{ Type: "bind", Source: fp, - Options: []string{"ro", "rbind"}, + Options: []string{"ro", "rbind", "nodev", "nosuid", "noexec"}, }}, cleanup, nil }