Don't skip symlinks during local source upload#355
Don't skip symlinks during local source upload#355dollierp wants to merge 1 commit intoshipwright-io:mainfrom
Conversation
pull-request-size
Bot
added
the
size/M
IrvingMg
left a comment
IrvingMg
left a comment
There was a problem hiding this comment.
Thanks for the PR!
Overall, LGTM. I left a couple of comments. It would also be nice to have unit tests for at least basic cases, as the changes are related to the core functionality of the upload command.
|
Hi @IrvingMg, Thanks for your review. I updated the PR with new changes trying to address your remarks. Regards, |
There was a problem hiding this comment.
Pull request overview
This PR fixes a bug where symlinks were being skipped during local source uploads. Previously, the tar helper would skip any file that wasn't a regular file (including symlinks, directories, and other special file types). The changes now allow symlinks to be included in the tar archive while still skipping unsupported file types.
Changes:
- Modified
skipPathfunction to exclude symlinks from being skipped (allowing them to be processed) - Added symlink handling in
writeFileToTarto read symlink targets, detect if they point outside the source directory, and properly set the tar header linkname - Added
isSymlinkTargetOutsideOfDirfunction to check if symlink targets escape the source directory and warn appropriately - Updated test to verify that symlinks are captured in the tar archive
- Fixed documentation from "buildrun" to "build" command references
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/shp/streamer/tar.go | Modified skipPath condition to allow symlinks through filtering |
| pkg/shp/streamer/util.go | Added symlink handling logic with safety check for targets pointing outside source directory |
| pkg/shp/streamer/tar_test.go | Enhanced test to verify symlinks are included in tar output |
| pkg/shp/cmd/build/upload.go | Fixed documentation typo from "buildrun" to "build" |
| docs/shp_build_upload.md | Updated documentation examples to match corrected command |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @dollierp, thanks for the changes. There’s one more Copilot comment, could you take a look? |
|
Hi @IrvingMg, I updated the PR to make Copilot happy. Let me know if something else is missing. Regards. |
IrvingMg
left a comment
IrvingMg
left a comment
There was a problem hiding this comment.
Thanks again for the changes. I left a couple more comments.
pull-request-size
Bot
added
size/L
|
Hi @IrvingMg, I tried to address your latest remarks and updated the PR. Regards, |
IrvingMg
left a comment
IrvingMg
left a comment
There was a problem hiding this comment.
Thanks for the update, looks good overall. Just a few final comments from my side.
|
Hi @IrvingMg, I've tried to incorporate your latest feedback and have updated the pull request. Regards, |
IrvingMg
left a comment
IrvingMg
left a comment
There was a problem hiding this comment.
Thanks for the changes! Overall /lgtm
@shipwright-io/approvers PTAL, this PR has been open for a while.
|
/lgtm |
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
Code changes generally look good, however I'm going to ask that we turn the existing warning on using symlinks outside the "root" directory into a failure. This is a common source of vulnerabilities. I am actually pretty sure that in Shipwright's predecessor (OpenShift BuildConfig), we had to issue a CVE on this exact issue.
| if err := os.Symlink(symlink.target, path); err != nil { | ||
| t.Fatalf("Couldn't setup test symlink: %v", err) | ||
| } | ||
| t.Cleanup(func() { os.Remove(path) }) |
There was a problem hiding this comment.
Golangci-lint failing here on an unhandled error from os.Remove. I'm fine capturing the error and logging it.
| t.Cleanup(func() { os.Remove(path) }) | |
| t.Cleanup(func() { | |
| cleanupErr := os.Remove(path) | |
| if cleanupErr != nil { | |
| t.Logf("failed to remove path %q: %v", path, err) | |
| } | |
| }) |
|
Hi @adambkaplan, Thanks for your review. I pushed a new commit which should address your concerns. Regards, |
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
/approve
Adding "approve" here, now that we are safely handling symlinks that potentially escape the root directory. We'll need at least one more round of review before this is ready for merge.
|
|
||
| if outside, _ := isSymlinkTargetOutsideOfDir(absSrc, absTarget); outside { | ||
| relPath, _ := filepath.Rel(t.src, fpath) | ||
| return fmt.Errorf("symlink %q points outside the source directory %q (target: %q)\n", relPath, absSrc, target) |
There was a problem hiding this comment.
I held back on pointing this out as a nit, but our lint checker is failing because of the trailing newline.
| return fmt.Errorf("symlink %q points outside the source directory %q (target: %q)\n", relPath, absSrc, target) | |
| return fmt.Errorf("symlink %q points outside the source directory %q (target: %q)", relPath, absSrc, target) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/lgtm cancel Due to failing lint check. |
|
Hi @adambkaplan, I updated the PR to fix the Regards. |
|
@dollierp one last item - please squash your commits using an interactive rebase, and provide a well written commit message. Side note for @shipwright-io/contributors - we should add commit squashing and commit message guidance to our Contributor Guide. |
Until now, the `shp build upload <build-name> /path` command would silently discard symbolic links when walking through a local source directory. This is not backward compatible with the `oc start-build <build-name> --from-dir=/path` command which supports symbolic links. This change adds support for symbolic links to Shipwright cli to match the legacy OpenShift build commands. To prevent the type of vulnerability described by CWE-61 [1], an additional security measure is implemented: an error is raised upon detecting a symbolic link that points to a file outside the provided directory. [1]: https://cwe.mitre.org/data/definitions/61.html Signed-off-by: Denis Ollier <dollierp@redhat.com>
|
Hi @adambkaplan, I squashed the commits into a single one and improved its message to match the guidelines. Regards, |
|
/lgtm Failed e2e test appears to be a flake. Re-running (which will gate merge until it passes). |
Changes
Don't skip symlinks during local source upload
/kind bug
Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes