vendor: update buildah to latest

Includes a fix for CVE-2024-9407 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2025-11-30 10:07:33 +08:00 · 2024-10-02 11:29:28 +02:00
parent dde1c3d98c
commit 83a0299309
106 changed files with 1414 additions and 1115 deletions
--- a/vendor/github.com/containers/buildah/internal/config/executor.go
+++ b/vendor/github.com/containers/buildah/internal/config/executor.go
@@ -17,26 +17,26 @@ import (
 // from a Dockerfile.  Try anything more than that and it'll return an error.
 type configOnlyExecutor struct{}

-func (g *configOnlyExecutor) Preserve(path string) error {
+func (g *configOnlyExecutor) Preserve(_ string) error {
 	return errors.New("ADD/COPY/RUN not supported as changes")
 }

-func (g *configOnlyExecutor) EnsureContainerPath(path string) error {
+func (g *configOnlyExecutor) EnsureContainerPath(_ string) error {
 	return nil
 }

-func (g *configOnlyExecutor) EnsureContainerPathAs(path, user string, mode *os.FileMode) error {
+func (g *configOnlyExecutor) EnsureContainerPathAs(_, _ string, _ *os.FileMode) error {
 	return nil
 }

-func (g *configOnlyExecutor) Copy(excludes []string, copies ...imagebuilder.Copy) error {
+func (g *configOnlyExecutor) Copy(_ []string, copies ...imagebuilder.Copy) error {
 	if len(copies) == 0 {
 		return nil
 	}
 	return errors.New("ADD/COPY not supported as changes")
 }

-func (g *configOnlyExecutor) Run(run imagebuilder.Run, config dockerclient.Config) error {
+func (g *configOnlyExecutor) Run(_ imagebuilder.Run, _ dockerclient.Config) error {
 	return errors.New("RUN not supported as changes")
 }

--- a/vendor/github.com/containers/buildah/internal/mkcw/archive.go
+++ b/vendor/github.com/containers/buildah/internal/mkcw/archive.go
@@ -319,7 +319,7 @@ func Archive(rootfsPath string, ociConfig *v1.Image, options ArchiveOptions) (io
 	imageSize := slop(options.ImageSize, options.Slop)
 	if imageSize == 0 {
 		var sourceSize int64
-		if err := filepath.WalkDir(rootfsPath, func(path string, d fs.DirEntry, err error) error {
+		if err := filepath.WalkDir(rootfsPath, func(_ string, d fs.DirEntry, err error) error {
 			if err != nil && !errors.Is(err, os.ErrNotExist) && !errors.Is(err, os.ErrPermission) {
 				return err
 			}
--- a/vendor/github.com/containers/buildah/internal/types.go
+++ b/vendor/github.com/containers/buildah/internal/types.go
@@ -1,18 +1,18 @@
 package internal

 const (
-	// Temp directory which stores external artifacts which are download for a build.
-	// Example: tar files from external sources.
+	// BuildahExternalArtifactsDir is the pattern passed to os.MkdirTemp()
+	// to generate a temporary directory which will be used to hold
+	// external items which are downloaded for a build, typically a tarball
+	// being used as an additional build context.
 	BuildahExternalArtifactsDir = "buildah-external-artifacts"
 )

-// Types is internal packages are suspected to change with releases avoid using these outside of buildah
-
 // StageMountDetails holds the Stage/Image mountpoint returned by StageExecutor
 // StageExecutor has ability to mount stages/images in current context and
 // automatically clean them up.
 type StageMountDetails struct {
 	DidExecute bool   // tells if the stage which is being mounted was freshly executed or was part of older cache
-	IsStage    bool   // tells if mountpoint returned from stage executor is stage or image
-	MountPoint string // mountpoint of stage/image
+	IsStage    bool   // true if the mountpoint is a temporary directory or a stage's rootfs, false if it's an image
+	MountPoint string // mountpoint of the stage or image's root directory
 }
--- a/vendor/github.com/containers/buildah/internal/util/util.go
+++ b/vendor/github.com/containers/buildah/internal/util/util.go
@@ -72,7 +72,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error {
 			noLChown = true
 		}

-		err = os.MkdirAll(opts.Path, 0700)
+		err = os.MkdirAll(opts.Path, 0o700)
 		if err != nil {
 			return fmt.Errorf("failed while creating the destination path %q: %w", opts.Path, err)
 		}
--- a/vendor/github.com/containers/buildah/internal/volumes/volumes.go
+++ b/vendor/github.com/containers/buildah/internal/volumes/volumes.go
@@ -2,6 +2,7 @@ package volumes

 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path"
@@ -9,8 +10,6 @@ import (
 	"strconv"
 	"strings"

-	"errors"
-
 	"github.com/containers/buildah/copier"
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/internal"
@@ -105,6 +104,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 			if !hasArgValue {
 				return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg)
 			}
+			switch argValue {
+			default:
+				return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
 			newMount.Options = append(newMount.Options, argValue)
 		case "src", "source":
 			if !hasArgValue {
@@ -224,7 +229,7 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
 // GetCacheMount parses a single cache mount entry from the --mount flag.
 //
 // If this function succeeds and returns a non-nil *lockfile.LockFile, the caller must unlock it (when??).
-func GetCacheMount(args []string, store storage.Store, imageMountLabel string, additionalMountPoints map[string]internal.StageMountDetails, workDir string) (specs.Mount, *lockfile.LockFile, error) {
+func GetCacheMount(args []string, _ storage.Store, _ string, additionalMountPoints map[string]internal.StageMountDetails, workDir string) (specs.Mount, *lockfile.LockFile, error) {
 	var err error
 	var mode uint64
 	var buildahLockFilesDir string
@@ -240,7 +245,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 	}
 	// if id is set a new subdirectory with `id` will be created under /host-temp/buildah-build-cache/id
 	id := ""
-	// buildkit parity: cache directory defaults to 755
+	// buildkit parity: cache directory defaults to 0o755
 	mode = 0o755
 	// buildkit parity: cache directory defaults to uid 0 if not specified
 	uid := 0
@@ -277,6 +282,12 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			if !hasArgValue {
 				return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg)
 			}
+			switch argValue {
+			default:
+				return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption)
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave":
+				// this should be the relevant parts of the same list of options we accepted above
+			}
 			newMount.Options = append(newMount.Options, argValue)
 		case "id":
 			if !hasArgValue {
@@ -346,8 +357,9 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 	}

 	if fromStage != "" {
-		// do not create cache on host
-		// instead use read-only mounted stage as cache
+		// do not create and use a cache directory on the host,
+		// instead use the location in the mounted stage or
+		// temporary directory as the cache
 		mountPoint := ""
 		if additionalMountPoints != nil {
 			if val, ok := additionalMountPoints[fromStage]; ok {
@@ -356,24 +368,24 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 				}
 			}
 		}
-		// Cache does not supports using image so if not stage found
-		// return with error
+		// Cache does not support using an image so if there's no such
+		// stage or temporary directory, return an error
 		if mountPoint == "" {
 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
 		}
 		// path should be /contextDir/specified path
 		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
 	} else {
-		// we need to create cache on host if no image is being used
+		// we need to create the cache directory on the host if no image is being used

-		// since type is cache and cache can be reused by consecutive builds
+		// since type is cache and a cache can be reused by consecutive builds
 		// create a common cache directory, which persists on hosts within temp lifecycle
 		// add subdirectory if specified

 		// cache parent directory: creates separate cache parent for each user.
 		cacheParent := CacheParent()
 		// create cache on host if not present
-		err = os.MkdirAll(cacheParent, os.FileMode(0755))
+		err = os.MkdirAll(cacheParent, os.FileMode(0o755))
 		if err != nil {
 			return newMount, nil, fmt.Errorf("unable to create build cache directory: %w", err)
 		}
@@ -389,7 +401,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
 			UID: uid,
 			GID: gid,
 		}
-		// buildkit parity: change uid and gid if specified otheriwise keep `0`
+		// buildkit parity: change uid and gid if specified, otherwise keep `0`
 		err = idtools.MkdirAllAndChownNew(newMount.Source, os.FileMode(mode), idPair)
 		if err != nil {
 			return newMount, nil, fmt.Errorf("unable to change uid,gid of cache directory: %w", err)
@@ -397,7 +409,7 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a

 		// create a subdirectory inside `cacheParent` just to store lockfiles
 		buildahLockFilesDir = filepath.Join(cacheParent, buildahLockFilesDir)
-		err = os.MkdirAll(buildahLockFilesDir, os.FileMode(0700))
+		err = os.MkdirAll(buildahLockFilesDir, os.FileMode(0o700))
 		if err != nil {
 			return newMount, nil, fmt.Errorf("unable to create build cache lockfiles directory: %w", err)
 		}