Skip to content

Commit 69d26bb

Browse files
alexey-igrychevalexey-igrychev
committed
fix(build, buildah, stapel): prevent sensitive data exposure by not printing user commands
Signed-off-by: Aleksei Igrychev <aleksei.igrychev@palark.com>
1 parent ad5f224 commit 69d26bb

File tree

1 file changed

+25
-5
lines changed

1 file changed

+25
-5
lines changed

pkg/container_backend/buildah_backend.go

Lines changed: 25 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ import (
2222

2323
copyrec "github.com/werf/copy-recurse"
2424
"github.com/werf/logboek"
25+
"github.com/werf/logboek/pkg/level"
2526
"github.com/werf/werf/pkg/buildah"
2627
"github.com/werf/werf/pkg/buildah/thirdparty"
2728
"github.com/werf/werf/pkg/image"
@@ -127,14 +128,18 @@ func (backend *BuildahBackend) unmountContainers(ctx context.Context, containers
127128
return nil
128129
}
129130

130-
func makeScript(commands []string) []byte {
131+
func makeScript(commands []string, verbose bool) []byte {
131132
var scriptCommands []string
132133
for _, c := range commands {
133-
scriptCommands = append(scriptCommands, fmt.Sprintf(`printf "$ %%s\n" %q`, c))
134+
// TODO: print commands by default when build secrets are supported.
135+
if verbose {
136+
scriptCommands = append(scriptCommands, fmt.Sprintf(`printf "$ %%s\n" %q`, c))
137+
}
134138
scriptCommands = append(scriptCommands, c)
135139
}
136140

137-
return []byte(fmt.Sprintf(`#!/bin/sh
141+
if verbose {
142+
return []byte(fmt.Sprintf(`#!/bin/sh
138143
139144
set -e
140145
@@ -152,16 +157,31 @@ fi
152157
153158
%s
154159
`, strings.Join(scriptCommands, "\n")))
160+
} else {
161+
return []byte(fmt.Sprintf(`#!/bin/sh
162+
163+
set -e
164+
165+
if [ "x$_IS_REEXEC" = "x" ]; then
166+
if type bash >/dev/null 2>&1 ; then
167+
export _IS_REEXEC="1"
168+
exec bash $0
169+
fi
170+
fi
171+
172+
%s
173+
`, strings.Join(scriptCommands, "\n")))
174+
}
155175
}
156176

157177
func (backend *BuildahBackend) applyCommands(ctx context.Context, container *containerDesc, buildVolumes, commands []string, opts CommonOpts) error {
158178
hostScriptPath := filepath.Join(backend.TmpDir, fmt.Sprintf("script-%s.sh", uuid.New().String()))
159-
if err := os.WriteFile(hostScriptPath, makeScript(commands), os.FileMode(0o555)); err != nil {
179+
if err := os.WriteFile(hostScriptPath, makeScript(commands, logboek.Context(ctx).IsAcceptedLevel(level.Info)), os.FileMode(0o555)); err != nil {
160180
return fmt.Errorf("unable to write script file %q: %w", hostScriptPath, err)
161181
}
162182
defer os.RemoveAll(hostScriptPath)
163183

164-
logboek.Context(ctx).Default().LogF("Executing script %s\n", hostScriptPath)
184+
logboek.Context(ctx).Info().LogF("Executing script %s\n", hostScriptPath)
165185

166186
destScriptPath := "/.werf/script.sh"
167187

0 commit comments

Comments
 (0)