Merge pull request #1000 from tejal29/769

whitelist /tmp/apt-key-gpghome.* directory
GoogleContainerTools · Jan 31, 2020 · 3f73230 · 3f73230
2 parents c5e1c93 + e032204
commit 3f73230
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 5 deletions.
diff --git a/pkg/snapshot/layered_map.go b/pkg/snapshot/layered_map.go
@@ -20,11 +20,13 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/GoogleContainerTools/kaniko/pkg/timing"
 	"github.com/GoogleContainerTools/kaniko/pkg/util"
+	"github.com/sirupsen/logrus"
 )
 
 type LayeredMap struct {
@@ -113,13 +115,18 @@ func (l *LayeredMap) Add(s string) error {
 // from the current layered map by its hashing function.
 // Returns true if the file is changed.
 func (l *LayeredMap) CheckFileChange(s string) (bool, error) {
-	oldV, ok := l.Get(s)
 	t := timing.Start("Hashing files")
 	defer timing.DefaultRun.Stop(t)
 	newV, err := l.hasher(s)
 	if err != nil {
+		// if this file does not exist in the new layer return.
+		if os.IsNotExist(err) {
+			logrus.Tracef("%s detected as changed but does not exist", s)
+			return false, nil
+		}
 		return false, err
 	}
+	oldV, ok := l.Get(s)
 	if ok && newV == oldV {
 		return false, nil
 	}

diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go
@@ -56,6 +56,12 @@ var initialWhitelist = []WhitelistEntry{
 		Path:            "/etc/mtab",
 		PrefixMatchOnly: false,
 	},
+	{
+		// we whitelist /tmp/apt-key-gpghome, since the apt keys are added temporarily in this directory.
+		// from the base image
+		Path:            "/tmp/apt-key-gpghome",
+		PrefixMatchOnly: true,
+	},
 }
 
 var whitelist = initialWhitelist
@@ -663,7 +669,7 @@ func ExcludeFile(path, buildcontext string) bool {
 	return match
 }
 
-// HasFilepathPrefix checks  if the given file path begins with prefix
+// HasFilepathPrefix checks if the given file path begins with prefix
 func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
 	prefix = filepath.Clean(prefix)
 	prefixArray := strings.Split(prefix, "/")
@@ -676,11 +682,15 @@ func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
 	if prefixMatchOnly && len(pathArray) == len(prefixArray) {
 		return false
 	}
+
 	for index := range prefixArray {
-		if prefixArray[index] == pathArray[index] {
-			continue
+		m, err := filepath.Match(prefixArray[index], pathArray[index])
+		if err != nil {
+			return false
+		}
+		if !m {
+			return false
 		}
-		return false
 	}
 	return true
 }

diff --git a/pkg/util/fs_util_test.go b/pkg/util/fs_util_test.go
@@ -65,6 +65,7 @@ func Test_DetectFilesystemWhitelist(t *testing.T) {
 		{"/dev/pts", false},
 		{"/sys", false},
 		{"/etc/mtab", false},
+		{"/tmp/apt-key-gpghome", true},
 	}
 	actualWhitelist := whitelist
 	sort.Slice(actualWhitelist, func(i, j int) bool {
@@ -258,6 +259,14 @@ func Test_CheckWhitelist(t *testing.T) {
 			},
 			want: false,
 		},
+		{
+			name: "prefix match only ",
+			args: args{
+				path:      "/tmp/apt-key-gpghome.xft/gpg.key",
+				whitelist: []WhitelistEntry{{"/tmp/apt-key-gpghome.*", true}},
+			},
+			want: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {