cstrans-df-run: restrict the regex accepting exec form

kdudka · kdudka · commit 49f0451cbba6 · 2025-06-27T08:34:06.000+02:00
... of the RUN instruction. This change causes the following RUN instruction to be recognized as the shell form: ``` RUN [ "$(sha1sum Dockerfile.cached | cut -d' ' -f1)" = "$(sha1sum Dockerfile | cut -d' ' -f1)" ] ``` Fixes: https://issues.redhat.com/browse/PSSECAUT-1207
diff --git a/src/cstrans-df-run.cc b/src/cstrans-df-run.cc
@@ -80,8 +80,12 @@ class DockerFileTransformer {
         // split RUN directive with options from the actual command
         const RE reLineRunOpts_ = RE("^(RUN +(?:--[A-Za-z0-9_]+=[^ ]+ +)*)(.*)$");
 
-        /// match ... in RUN [...]
-        const RE reLineRunExec_ = RE("^\\[(.*)\\] *$");
+        /// text to construct RE taking "..." where inner quotes can be escaped
+        const std::string rtQuotedStr_ = "\"([^\"\\\\]|\\\\.)*\"";
+
+        /// match RUN ["cmd", "opt1", "opt2", ...] with zero or more opts
+        const RE reLineRunExec_ = RE("^\\[\\s*(" + rtQuotedStr_
+                + "(?:\\s*,\\s*" + rtQuotedStr_ + ")*)\\s*\\]\\s*$");
 
         /// match in-line comments
         const RE reComment_     = RE("^\\s*#.*$");
diff --git a/tests/cstrans-df-run/0012-sf-stdout.txt b/tests/cstrans-df-run/0012-sf-stdout.txt
@@ -0,0 +1,37 @@
+# Detect the drift from the upstream Dockerfile
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift
+WORKDIR /app
+COPY drift-cache/Dockerfile Dockerfile.cached
+COPY Dockerfile.openshift Dockerfile
+# If the command below fails it means that the Dockerfile from this repository changed.
+# You have to update the Konflux Containerfile accordingly.
+# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned.
+RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' $'[ \"$(sha1sum Dockerfile.cached | cut -d\' \' -f1)\" = \"$(sha1sum Dockerfile | cut -d\' \' -f1)\" ]'
+
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder
+# dummy copy to trigger the drift detection
+COPY --from=drift /app/Dockerfile.cached .
+WORKDIR /workspace
+# Dummy RUN to create /workspace directory.
+# WORKDIR doesn't create the directory (at least for Podman).
+# Without this step, the following COPY may create /workspace
+# as root-owned (instead of go-toolset's default 1001)
+# leading to "Permission denied" errors during "make build"
+# when trying to write output.
+RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'ls .'
+COPY . /workspace
+RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'git config --global --add safe.directory /workspace'
+# Build
+RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'make build'
+
+FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477
+LABEL maintainer="Red Hat, Inc."
+LABEL com.redhat.component="external-dns-container"
+LABEL name="external-dns"
+LABEL version="1.3.0"
+LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987"
+WORKDIR /
+COPY --from=builder /workspace/build/external-dns /
+COPY LICENSE /licenses/
+USER 65532:65532
+ENTRYPOINT ["/external-dns"]
diff --git a/tests/cstrans-df-run/0012-stdin.txt b/tests/cstrans-df-run/0012-stdin.txt
@@ -0,0 +1,37 @@
+# Detect the drift from the upstream Dockerfile
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift
+WORKDIR /app
+COPY drift-cache/Dockerfile Dockerfile.cached
+COPY Dockerfile.openshift Dockerfile
+# If the command below fails it means that the Dockerfile from this repository changed.
+# You have to update the Konflux Containerfile accordingly.
+# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned.
+RUN [ "$(sha1sum Dockerfile.cached | cut -d' ' -f1)" = "$(sha1sum Dockerfile | cut -d' ' -f1)" ]
+
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder
+# dummy copy to trigger the drift detection
+COPY --from=drift /app/Dockerfile.cached .
+WORKDIR /workspace
+# Dummy RUN to create /workspace directory.
+# WORKDIR doesn't create the directory (at least for Podman).
+# Without this step, the following COPY may create /workspace
+# as root-owned (instead of go-toolset's default 1001)
+# leading to "Permission denied" errors during "make build"
+# when trying to write output.
+RUN ls .
+COPY . /workspace
+RUN git config --global --add safe.directory /workspace
+# Build
+RUN make build
+
+FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477
+LABEL maintainer="Red Hat, Inc."
+LABEL com.redhat.component="external-dns-container"
+LABEL name="external-dns"
+LABEL version="1.3.0"
+LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987"
+WORKDIR /
+COPY --from=builder /workspace/build/external-dns /
+COPY LICENSE /licenses/
+USER 65532:65532
+ENTRYPOINT ["/external-dns"]
diff --git a/tests/cstrans-df-run/0012-stdout.txt b/tests/cstrans-df-run/0012-stdout.txt
@@ -0,0 +1,37 @@
+# Detect the drift from the upstream Dockerfile
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift
+WORKDIR /app
+COPY drift-cache/Dockerfile Dockerfile.cached
+COPY Dockerfile.openshift Dockerfile
+# If the command below fails it means that the Dockerfile from this repository changed.
+# You have to update the Konflux Containerfile accordingly.
+# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned.
+RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "[ \"$(sha1sum Dockerfile.cached | cut -d' ' -f1)\" = \"$(sha1sum Dockerfile | cut -d' ' -f1)\" ]"]
+
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder
+# dummy copy to trigger the drift detection
+COPY --from=drift /app/Dockerfile.cached .
+WORKDIR /workspace
+# Dummy RUN to create /workspace directory.
+# WORKDIR doesn't create the directory (at least for Podman).
+# Without this step, the following COPY may create /workspace
+# as root-owned (instead of go-toolset's default 1001)
+# leading to "Permission denied" errors during "make build"
+# when trying to write output.
+RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "ls ."]
+COPY . /workspace
+RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "git config --global --add safe.directory /workspace"]
+# Build
+RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "make build"]
+
+FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477
+LABEL maintainer="Red Hat, Inc."
+LABEL com.redhat.component="external-dns-container"
+LABEL name="external-dns"
+LABEL version="1.3.0"
+LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987"
+WORKDIR /
+COPY --from=builder /workspace/build/external-dns /
+COPY LICENSE /licenses/
+USER 65532:65532
+ENTRYPOINT ["/external-dns"]
diff --git a/tests/cstrans-df-run/CMakeLists.txt b/tests/cstrans-df-run/CMakeLists.txt
@@ -45,3 +45,4 @@ test_cstrans_df_run(0008)
 test_cstrans_df_run(0009)
 test_cstrans_df_run(0010)
 test_cstrans_df_run(0011)
+test_cstrans_df_run(0012)
