remote,build: error if containerignore is symlink

Drop support for remote use-cases when `.containerignore` or `.dockerignore` is a symlink pointing to arbitrary location on host. Signed-off-by: Aditya R <arajan@redhat.com>
2025-12-01 10:38:05 +08:00 · 2023-01-26 16:11:51 +05:30
parent 0184ba5d09
commit 70e8f6243a
9 changed files with 126 additions and 29 deletions
--- a/test/buildah-bud/apply-podman-deltas
+++ b/test/buildah-bud/apply-podman-deltas
@@ -245,7 +245,8 @@ skip_if_remote "Explicit request in buildah PR 4190 to skip this on remote" \
 # BEGIN tests which are skipped due to actual podman or podman-remote bugs.

 skip_if_remote "different error messages between podman & podman-remote" \
-               "bud with .dockerignore #2"
+               "bud with .dockerignore #2" \
+               "bud with .dockerignore #4"

 # END   tests which are skipped due to actual podman or podman-remote bugs.
 ###############################################################################
--- a/test/e2e/build/containerignore-symlink/.dockerignore
+++ b/test/e2e/build/containerignore-symlink/.dockerignore
@@ -0,0 +1 @@
+/tmp/private_file
--- a/test/e2e/build/containerignore-symlink/Dockerfile
+++ b/test/e2e/build/containerignore-symlink/Dockerfile
@@ -0,0 +1,2 @@
+FROM alpine
+COPY / /dir
--- a/test/e2e/build/containerignore-symlink/hello
+++ b/test/e2e/build/containerignore-symlink/hello
--- a/test/e2e/build/containerignore-symlink/world
+++ b/test/e2e/build/containerignore-symlink/world
--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@@ -461,6 +461,33 @@ RUN find /test`, ALPINE)
 		Expect(session.OutputToString()).To(ContainSubstring("/test/dummy"))
 	})

+	It("podman remote build must not allow symlink for ignore files", func() {
+		// Create a random file where symlink must be resolved
+		// but build should not be able to access it.
+		f, err := os.Create(filepath.Join("/tmp", "private_file"))
+		Expect(err).ToNot(HaveOccurred())
+		// Mark hello to be ignored in outerfile, but it should not be ignored.
+		_, err = f.WriteString("hello\n")
+		Expect(err).ToNot(HaveOccurred())
+		defer f.Close()
+
+		if IsRemote() {
+			podmanTest.StopRemoteService()
+			podmanTest.StartRemoteService()
+		} else {
+			Skip("Only valid at remote test")
+		}
+
+		session := podmanTest.Podman([]string{"build", "--pull-never", "-t", "test", "build/containerignore-symlink/"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+
+		session = podmanTest.Podman([]string{"run", "--rm", "test", "ls", "/dir"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).To(ContainSubstring("hello"))
+	})
+
 	It("podman remote test container/docker file is not at root of context dir", func() {
 		if IsRemote() {
 			podmanTest.StopRemoteService()