Skip to content

cstrans-df-run: restrict the regex accepting exec form #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 30, 2025
Merged

cstrans-df-run: restrict the regex accepting exec form #229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions src/cstrans-df-run.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,12 @@ class DockerFileTransformer {
// split RUN directive with options from the actual command
const RE reLineRunOpts_ = RE("^(RUN +(?:--[A-Za-z0-9_]+=[^ ]+ +)*)(.*)$");

/// match ... in RUN [...]
const RE reLineRunExec_ = RE("^\\[(.*)\\] *$");
/// text to construct RE taking "..." where inner quotes can be escaped
const std::string rtQuotedStr_ = "\"([^\"\\\\]|\\\\.)*\"";

/// match RUN ["cmd", "opt1", "opt2", ...] with zero or more opts
const RE reLineRunExec_ = RE("^\\[\\s*(" + rtQuotedStr_
+ "(?:\\s*,\\s*" + rtQuotedStr_ + ")*)\\s*\\]\\s*$");

/// match in-line comments
const RE reComment_ = RE("^\\s*#.*$");
Expand Down
37 changes: 37 additions & 0 deletions tests/cstrans-df-run/0012-sf-stdout.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Detect the drift from the upstream Dockerfile
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift
WORKDIR /app
COPY drift-cache/Dockerfile Dockerfile.cached
COPY Dockerfile.openshift Dockerfile
# If the command below fails it means that the Dockerfile from this repository changed.
# You have to update the Konflux Containerfile accordingly.
# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned.
RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' $'[ \"$(sha1sum Dockerfile.cached | cut -d\' \' -f1)\" = \"$(sha1sum Dockerfile | cut -d\' \' -f1)\" ]'

FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder
# dummy copy to trigger the drift detection
COPY --from=drift /app/Dockerfile.cached .
WORKDIR /workspace
# Dummy RUN to create /workspace directory.
# WORKDIR doesn't create the directory (at least for Podman).
# Without this step, the following COPY may create /workspace
# as root-owned (instead of go-toolset's default 1001)
# leading to "Permission denied" errors during "make build"
# when trying to write output.
RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'ls .'
COPY . /workspace
RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'git config --global --add safe.directory /workspace'
# Build
RUN '/opt/cov-sa-2019.09/bin/cov-build' '--dir=/cov' '--append-log' 'sh' '-c' 'make build'

FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477
LABEL maintainer="Red Hat, Inc."
LABEL com.redhat.component="external-dns-container"
LABEL name="external-dns"
LABEL version="1.3.0"
LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987"
WORKDIR /
COPY --from=builder /workspace/build/external-dns /
COPY LICENSE /licenses/
USER 65532:65532
ENTRYPOINT ["/external-dns"]
37 changes: 37 additions & 0 deletions tests/cstrans-df-run/0012-stdin.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Detect the drift from the upstream Dockerfile
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift
WORKDIR /app
COPY drift-cache/Dockerfile Dockerfile.cached
COPY Dockerfile.openshift Dockerfile
# If the command below fails it means that the Dockerfile from this repository changed.
# You have to update the Konflux Containerfile accordingly.
# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned.
RUN [ "$(sha1sum Dockerfile.cached | cut -d' ' -f1)" = "$(sha1sum Dockerfile | cut -d' ' -f1)" ]

FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder
# dummy copy to trigger the drift detection
COPY --from=drift /app/Dockerfile.cached .
WORKDIR /workspace
# Dummy RUN to create /workspace directory.
# WORKDIR doesn't create the directory (at least for Podman).
# Without this step, the following COPY may create /workspace
# as root-owned (instead of go-toolset's default 1001)
# leading to "Permission denied" errors during "make build"
# when trying to write output.
RUN ls .
COPY . /workspace
RUN git config --global --add safe.directory /workspace
# Build
RUN make build

FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477
LABEL maintainer="Red Hat, Inc."
LABEL com.redhat.component="external-dns-container"
LABEL name="external-dns"
LABEL version="1.3.0"
LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987"
WORKDIR /
COPY --from=builder /workspace/build/external-dns /
COPY LICENSE /licenses/
USER 65532:65532
ENTRYPOINT ["/external-dns"]
37 changes: 37 additions & 0 deletions tests/cstrans-df-run/0012-stdout.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Detect the drift from the upstream Dockerfile
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS drift
WORKDIR /app
COPY drift-cache/Dockerfile Dockerfile.cached
COPY Dockerfile.openshift Dockerfile
# If the command below fails it means that the Dockerfile from this repository changed.
# You have to update the Konflux Containerfile accordingly.
# drift-cache/Dockerfile can be updated with the upstream contents once the Konflux version is aligned.
RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "[ \"$(sha1sum Dockerfile.cached | cut -d' ' -f1)\" = \"$(sha1sum Dockerfile | cut -d' ' -f1)\" ]"]

FROM registry.access.redhat.com/ubi9/go-toolset:1.22 as builder
# dummy copy to trigger the drift detection
COPY --from=drift /app/Dockerfile.cached .
WORKDIR /workspace
# Dummy RUN to create /workspace directory.
# WORKDIR doesn't create the directory (at least for Podman).
# Without this step, the following COPY may create /workspace
# as root-owned (instead of go-toolset's default 1001)
# leading to "Permission denied" errors during "make build"
# when trying to write output.
RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "ls ."]
COPY . /workspace
RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "git config --global --add safe.directory /workspace"]
# Build
RUN ["/opt/cov-sa-2019.09/bin/cov-build", "--dir=/cov", "--append-log", "sh", "-c", "make build"]

FROM registry.redhat.io/rhel9-4-els/rhel:9.4-943.1729773477
LABEL maintainer="Red Hat, Inc."
LABEL com.redhat.component="external-dns-container"
LABEL name="external-dns"
LABEL version="1.3.0"
LABEL commit="76d92ad82b22c92c191a8c0145d3712e4012d987"
WORKDIR /
COPY --from=builder /workspace/build/external-dns /
COPY LICENSE /licenses/
USER 65532:65532
ENTRYPOINT ["/external-dns"]
1 change: 1 addition & 0 deletions tests/cstrans-df-run/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,4 @@ test_cstrans_df_run(0008)
test_cstrans_df_run(0009)
test_cstrans_df_run(0010)
test_cstrans_df_run(0011)
test_cstrans_df_run(0012)