From 49f0451cbba6db6e2527851fdbe45e2a531104b7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 27 Jun 2025 08:34:06 +0200 Subject: [PATCH] cstrans-df-run: restrict the regex accepting exec form ... of the RUN instruction. This change causes the following RUN instruction to be recognized as the shell form: ``` RUN [ "$(sha1sum Dockerfile.cached | cut -d' ' -f1)" = "$(sha1sum Dockerfile | cut -d' ' -f1)" ] ``` Fixes: https://issues.redhat.com/browse/PSSECAUT-1207 --- src/cstrans-df-run.cc | 8 ++++-- tests/cstrans-df-run/0012-sf-stdout.txt | 37 +++++++++++++++++++++++++ tests/cstrans-df-run/0012-stdin.txt | 37 +++++++++++++++++++++++++ tests/cstrans-df-run/0012-stdout.txt | 37 +++++++++++++++++++++++++ tests/cstrans-df-run/CMakeLists.txt | 1 + 5 files changed, 118 insertions(+), 2 deletions(-) create mode 100644 tests/cstrans-df-run/0012-sf-stdout.txt create mode 100644 tests/cstrans-df-run/0012-stdin.txt create mode 100644 tests/cstrans-df-run/0012-stdout.txt diff --git a/src/cstrans-df-run.cc b/src/cstrans-df-run.cc index 6d6778e..a3f3d8b 100644 --- a/src/cstrans-df-run.cc +++ b/src/cstrans-df-run.cc @@ -80,8 +80,12 @@ class DockerFileTransformer { // split RUN directive with options from the actual command const RE reLineRunOpts_ = RE("^(RUN +(?:--[A-Za-z0-9_]+=[^ ]+ +)*)(.*)$"); - /// match ... in RUN [...] - const RE reLineRunExec_ = RE("^\\[(.*)\\] *$"); + /// text to construct RE taking "..." where inner quotes can be escaped + const std::string rtQuotedStr_ = "\"([^\"\\\\]|\\\\.)*\""; + + /// match RUN ["cmd", "opt1", "opt2", ...] with zero or more opts + const RE reLineRunExec_ = RE("^\\[\\s*(" + rtQuotedStr_ + + "(?:\\s*,\\s*" + rtQuotedStr_ + ")*)\\s*\\]\\s*$"); /// match in-line comments const RE reComment_ = RE("^\\s*#.*$"); diff --git a/tests/cstrans-df-run/0012-sf-stdout.txt b/tests/cstrans-df-run/0012-sf-stdout.txt new file mode 100644 index 0000000..4ab9db9 --- /dev/null +++ b/tests/cstrans-df-run/0012-sf-stdout.txt @@ -0,0 +1,37 @@ +# Detect the drift from the upstream Dockerfile +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift +WORKDIR /app +COPY drift-cache/Dockerfile Dockerfile.cached +COPY Dockerfile.openshift Dockerfile +# If the command below fails it means that the Dockerfile from this repository changed. +# You have to update the Konflux Containerfile accordingly. +# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned. +RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' $'[ \"$(sha1sum Dockerfile.cached | cut -d\' \' -f1)\" = \"$(sha1sum Dockerfile | cut -d\' \' -f1)\" ]' + +FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder +# dummy copy to trigger the drift detection +COPY --from=drift /app/Dockerfile.cached . +WORKDIR /workspace +# Dummy RUN to create /workspace directory. +# WORKDIR doesn't create the directory (at least for Podman). +# Without this step, the following COPY may create /workspace +# as root-owned (instead of go-toolset's default 1001) +# leading to "Permission denied" errors during "make build" +# when trying to write output. +RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'ls .' +COPY . /workspace +RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'git config --global --add safe.directory /workspace' +# Build +RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'make build' + +FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477 +LABEL maintainer="Red Hat, Inc." +LABEL com.redhat.component="external-dns-container" +LABEL name="external-dns" +LABEL version="1.3.0" +LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987" +WORKDIR / +COPY --from=builder /workspace/build/external-dns / +COPY LICENSE /licenses/ +USER 65532:65532 +ENTRYPOINT ["/external-dns"] diff --git a/tests/cstrans-df-run/0012-stdin.txt b/tests/cstrans-df-run/0012-stdin.txt new file mode 100644 index 0000000..f1c6792 --- /dev/null +++ b/tests/cstrans-df-run/0012-stdin.txt @@ -0,0 +1,37 @@ +# Detect the drift from the upstream Dockerfile +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift +WORKDIR /app +COPY drift-cache/Dockerfile Dockerfile.cached +COPY Dockerfile.openshift Dockerfile +# If the command below fails it means that the Dockerfile from this repository changed. +# You have to update the Konflux Containerfile accordingly. +# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned. +RUN [ "$(sha1sum Dockerfile.cached | cut -d' ' -f1)" = "$(sha1sum Dockerfile | cut -d' ' -f1)" ] + +FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder +# dummy copy to trigger the drift detection +COPY --from=drift /app/Dockerfile.cached . +WORKDIR /workspace +# Dummy RUN to create /workspace directory. +# WORKDIR doesn't create the directory (at least for Podman). +# Without this step, the following COPY may create /workspace +# as root-owned (instead of go-toolset's default 1001) +# leading to "Permission denied" errors during "make build" +# when trying to write output. +RUN ls . +COPY . /workspace +RUN git config --global --add safe.directory /workspace +# Build +RUN make build + +FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477 +LABEL maintainer="Red Hat, Inc." +LABEL com.redhat.component="external-dns-container" +LABEL name="external-dns" +LABEL version="1.3.0" +LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987" +WORKDIR / +COPY --from=builder /workspace/build/external-dns / +COPY LICENSE /licenses/ +USER 65532:65532 +ENTRYPOINT ["/external-dns"] diff --git a/tests/cstrans-df-run/0012-stdout.txt b/tests/cstrans-df-run/0012-stdout.txt new file mode 100644 index 0000000..bdd73cc --- /dev/null +++ b/tests/cstrans-df-run/0012-stdout.txt @@ -0,0 +1,37 @@ +# Detect the drift from the upstream Dockerfile +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift +WORKDIR /app +COPY drift-cache/Dockerfile Dockerfile.cached +COPY Dockerfile.openshift Dockerfile +# If the command below fails it means that the Dockerfile from this repository changed. +# You have to update the Konflux Containerfile accordingly. +# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned. +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "[ \"$(sha1sum Dockerfile.cached | cut -d' ' -f1)\" = \"$(sha1sum Dockerfile | cut -d' ' -f1)\" ]"] + +FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder +# dummy copy to trigger the drift detection +COPY --from=drift /app/Dockerfile.cached . +WORKDIR /workspace +# Dummy RUN to create /workspace directory. +# WORKDIR doesn't create the directory (at least for Podman). +# Without this step, the following COPY may create /workspace +# as root-owned (instead of go-toolset's default 1001) +# leading to "Permission denied" errors during "make build" +# when trying to write output. +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "ls ."] +COPY . /workspace +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "git config --global --add safe.directory /workspace"] +# Build +RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "make build"] + +FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477 +LABEL maintainer="Red Hat, Inc." +LABEL com.redhat.component="external-dns-container" +LABEL name="external-dns" +LABEL version="1.3.0" +LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987" +WORKDIR / +COPY --from=builder /workspace/build/external-dns / +COPY LICENSE /licenses/ +USER 65532:65532 +ENTRYPOINT ["/external-dns"] diff --git a/tests/cstrans-df-run/CMakeLists.txt b/tests/cstrans-df-run/CMakeLists.txt index b3327d0..36ed6c9 100644 --- a/tests/cstrans-df-run/CMakeLists.txt +++ b/tests/cstrans-df-run/CMakeLists.txt @@ -45,3 +45,4 @@ test_cstrans_df_run(0008) test_cstrans_df_run(0009) test_cstrans_df_run(0010) test_cstrans_df_run(0011) +test_cstrans_df_run(0012)