Skip to content

Commit

Permalink
Removed dependency on sh/tar from alpine image
Browse files Browse the repository at this point in the history 
This commit removes depencency on sh and tar binaries by implementing
the logic in our func-util binary.

Signed-off-by: Matej Vašek <[email protected]>
  • Loading branch information
@matejvasek
matejvasek committed Jan 23, 2025
1 parent 079db29 commit 74f1ab8
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 0 deletions.
1 change: 1 addition & 0 deletions Dockerfile.utils
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ COPY --from=builder /workspace/func-util /usr/local/bin/
RUN ln -s /usr/local/bin/func-util /usr/local/bin/deploy && \
ln -s /usr/local/bin/func-util /usr/local/bin/scaffold && \
ln -s /usr/local/bin/func-util /usr/local/bin/s2i && \
ln -s /usr/local/bin/func-util /usr/local/bin/sh && \
ln -s /usr/local/bin/func-util /usr/local/bin/socat

LABEL \
Expand Down
91 changes: 91 additions & 0 deletions cmd/func-util/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,20 @@
package main

import (
"archive/tar"
"context"
"errors"
"flag"
"fmt"
"golang.org/x/sys/unix"
"io"
"io/fs"
"os"
"os/signal"
"path"
"path/filepath"
"slices"
"strings"
"syscall"

"github.com/openshift/source-to-image/pkg/cmd/cli"
Expand Down Expand Up @@ -46,6 +54,8 @@ func main() {
cmd = s2iCmd
case "socat":
cmd = socat
case "sh":
cmd = sh
}

err := cmd(ctx)
Expand Down Expand Up @@ -167,3 +177,84 @@ func (d deployDecorator) UpdateLabels(function fn.Function, labels map[string]st
}
return labels
}

func sh(ctx context.Context) error {
if !slices.Equal(os.Args[1:], []string{"-c", "umask 0000 && exec tar -xmf -"}) {
return fmt.Errorf("this is a fake sh (only for backward compatiblility purposes)")
}

var err error

wd, err := os.Getwd()
if err != nil {
return fmt.Errorf("cannot get working directory: %w", err)
}

unix.Umask(0)

r := tar.NewReader(os.Stdin)

writeRegular := func(hdr *tar.Header) error {
target := filepath.Join(wd, filepath.FromSlash(hdr.Name))
e := os.MkdirAll(
filepath.Dir(target),
os.FileMode(hdr.Mode)&fs.ModePerm|0111,
)
if e != nil {
return e
}
f, e := os.OpenFile(
target,
os.O_CREATE|os.O_TRUNC|os.O_WRONLY,
os.FileMode(hdr.Mode)&fs.ModePerm,
)
defer func(f *os.File) {
_ = f.Close()
}(f)
_, e = io.Copy(f, r)
if e != nil {
return e
}
return nil
}

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip") High

Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.

var first bool = true
for {
var h *tar.Header
h, err = r.Next()
if err != nil {
if errors.Is(err, io.EOF) {
if first {
return fmt.Errorf("does not look like a tar")
}
return nil
}
return err
}

if strings.HasPrefix(path.Clean(h.Name), "..") {
return fmt.Errorf("file name escapes")
}
if strings.HasPrefix(path.Clean(h.Linkname), "..") {
return fmt.Errorf("link target escapes")

Check failure

Code scanning / CodeQL

Arbitrary file write extracting an archive containing symbolic links High

Unresolved path from an archive header, which may point outside the archive root, is used in
symlink creation
Loading
.

Check failure

Code scanning / CodeQL

Arbitrary file write extracting an archive containing symbolic links High

Unresolved path from an archive header, which may point outside the archive root, is used in
symlink creation
Loading
.
}

first = false
switch {
case h.Typeflag == tar.TypeReg || h.Typeflag == tar.TypeRegA:
err = writeRegular(h)
case h.Typeflag == tar.TypeDir:
err = os.MkdirAll(
filepath.Join(wd, filepath.FromSlash(h.Name)),
os.FileMode(h.Mode)&fs.ModePerm,
)
case h.Typeflag == tar.TypeSymlink:
err = os.Symlink(h.Linkname, filepath.Join(wd, filepath.FromSlash(h.Name)))
default:
_, _ = fmt.Printf("unsupported type flag: %d\n", h.Typeflag)
}
if err != nil {
return err
}
}
}
Binary file modified pkg/k8s/testdata/content.tar
View file
Binary file not shown.

0 comments on commit 74f1ab8

Please sign in to comment.