Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerfile metavariables for image aliases are not matching #5229

Closed
1 task done
minusworld opened this issue May 17, 2022 · 3 comments · Fixed by #6130
Closed
1 task done

Dockerfile metavariables for image aliases are not matching #5229

minusworld opened this issue May 17, 2022 · 3 comments · Fixed by #6130
Assignees
@mjambon
Labels
bug Something isn't working feature:docker user:internal requested only by someone within Semgrep Inc.

Comments

@minusworld
Copy link
Member

Describe the bug
https://semgrep.dev/playground/s/r2c-sec-research-test:missing-image-version

I am trying to update this rule for this issue. I expected the pattern-not-inside clause to filter out the last test case because $ALIAS should match to base, but it does not.

To Reproduce
https://semgrep.dev/playground/s/r2c-sec-research-test:missing-image-version

Expected behavior
I expected the last test case in the example provided to not match.

What is the priority of the bug to you?

  • P2: regular bug that should get fixed

Use case
This will help me finish resolving this issue: semgrep/semgrep-rules#2038
@r2c-demo
Copy link
Collaborator

This issue is synced in Linear at https://linear.app/r2c/issue/PA-1300/dockerfile-metavariables-for-image-aliases-are-not-matching. Note: this link is for r2c use only and is not accessible publicly.

@aryx aryx added the user:internal requested only by someone within Semgrep Inc. label May 17, 2022
@stale
Copy link

stale bot commented Jun 4, 2022

This issue is being marked stale because there hasn't been any activity in 14 days and either it wasn't prioritized or its priority is high. Please apply the appropriate priority:* label before removing the stale label.

@stale stale bot added the stale needs prioritization; label applied by stalebot label Jun 4, 2022
@mjambon mjambon added the bug Something isn't working label Jun 6, 2022
@stale stale bot removed the stale needs prioritization; label applied by stalebot label Jun 6, 2022
@mjambon
Copy link
Member

mjambon commented Jun 6, 2022

Note that FROM ... doesn't make sense as a pattern because ... would stand for list of items of the same kind. Unfortunately it's not rejected as a syntax error because ... is considered a valid image name. Instead users should write FROM $IMAGE. We probably should do something about this.

The more serious issue here is this:
image
https://semgrep.dev/playground/s/returntocorp:wtf

Dumping the AST shows the problem:

$ semgrep-core -lang docker -dump_ast <(echo -e 'FROM abcdef')
Pr(
  [ExprStmt(
     Call(
       N(
         Id(("FROM", ()),
           {id_info_id=2; id_hidden=false; id_resolved=Ref(None); id_type=Ref(None); id_svalue=Ref(None); })),
       [Arg(
          Call(
            N(
              Id(("!dockerfile_concat!", ()),
                {id_info_id=1; id_hidden=true; id_resolved=Ref(None); id_type=Ref(None); id_svalue=Ref(None); })),
            [Arg(L(String(("a", ())))); Arg(L(String(("bcdef", ()))))]))]), ())])

The abcdef should be parsed as a single string, not two.

@mjambon mjambon mentioned this issue Sep 20, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjambon mjambon

Labels
bug Something isn't working feature:docker user:internal requested only by someone within Semgrep Inc.
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dockerfile: Fix fragmentation of some identifiers semgrep/semgrep
4 participants
@aryx @mjambon @minusworld @r2c-demo