vendor: github.com/moby/buildkit v0.11.4

- provenance: ensure URLs are redacted before written (fixes CVE-2023-26054) full diff: https://github.com/moby/buildkit/compare/218e934edfba...v0.11.4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-06 17:21:15 +01:00 · 2023-03-06 17:21:15 +01:00 · b0b3c62a84
commit b0b3c62a84
parent 6f719c74a9
5 changed files with 20 additions and 4 deletions
--- a/vendor.mod
+++ b/vendor.mod
@ -56,7 +56,7 @@ require (
 	github.com/klauspost/compress v1.15.12
 	github.com/miekg/dns v1.1.43
 	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible
-	github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba
+	github.com/moby/buildkit v0.11.4
 	github.com/moby/ipvs v1.1.0
 	github.com/moby/locker v1.0.1
 	github.com/moby/patternmatcher v0.5.0
--- a/vendor.sum
+++ b/vendor.sum
@ -755,8 +755,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
-github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba h1:sDHdZsyWOKBa1hYp0yk5a5bIWQgfa3ftc+c1nBSA+dI=
-github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo=
+github.com/moby/buildkit v0.11.4 h1:mleVHr+n7HUD65QNUkgkT3d8muTzhYUoHE9FM3Ej05s=
+github.com/moby/buildkit v0.11.4/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo=
 github.com/moby/ipvs v1.1.0 h1:ONN4pGaZQgAx+1Scz5RvWV4Q7Gb+mvfRh3NsPS+1XQQ=
 github.com/moby/ipvs v1.1.0/go.mod h1:4VJMWuf098bsUMmZEiD4Tjk/O7mOn3l1PTD3s4OoYAs=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
--- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go
+++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go
@ -5,6 +5,7 @@ import (

 	distreference "github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/solver/result"
+	"github.com/moby/buildkit/util/urlutil"
 	digest "github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 )
@ -190,6 +191,7 @@ func (c *Capture) AddLocal(l LocalSource) {
 }

 func (c *Capture) AddGit(g GitSource) {
+	g.URL = urlutil.RedactCredentials(g.URL)
 	for _, v := range c.Sources.Git {
 		if v.URL == g.URL {
 			return
@ -199,6 +201,7 @@ func (c *Capture) AddGit(g GitSource) {
 }

 func (c *Capture) AddHTTP(h HTTPSource) {
+	h.URL = urlutil.RedactCredentials(h.URL)
 	for _, v := range c.Sources.HTTP {
 		if v.URL == h.URL {
 			return
--- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go
+++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go
@ -7,6 +7,7 @@ import (
 	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	"github.com/moby/buildkit/util/purl"
+	"github.com/moby/buildkit/util/urlutil"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/package-url/packageurl-go"
 )
@ -151,6 +152,7 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) {
 		} else {
 			inv.ConfigSource.URI = v
 		}
+		inv.ConfigSource.URI = urlutil.RedactCredentials(inv.ConfigSource.URI)
 		delete(c.Args, contextKey)
 	}

@ -162,6 +164,9 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) {
 	vcs := make(map[string]string)
 	for k, v := range c.Args {
 		if strings.HasPrefix(k, "vcs:") {
+			if k == "vcs:source" {
+				v = urlutil.RedactCredentials(v)
+			}
 			delete(c.Args, k)
 			if v != "" {
 				vcs[strings.TrimPrefix(k, "vcs:")] = v
@ -231,6 +236,11 @@ func FilterArgs(m map[string]string) map[string]string {
 		"platform":           {},
 		"cache-imports":      {},
 	}
+	const defaultContextKey = "context"
+	contextKey := defaultContextKey
+	if v, ok := m["contextkey"]; ok && v != "" {
+		contextKey = v
+	}
 	out := make(map[string]string)
 	for k, v := range m {
 		if _, ok := hostSpecificArgs[k]; ok {
@ -239,6 +249,9 @@ func FilterArgs(m map[string]string) map[string]string {
 		if strings.HasPrefix(k, "attest:") {
 			continue
 		}
+		if k == contextKey || strings.HasPrefix(k, defaultContextKey+":") {
+			v = urlutil.RedactCredentials(v)
+		}
 		out[k] = v
 	}
 	return out
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -542,7 +542,7 @@ github.com/mistifyio/go-zfs
 # github.com/mitchellh/hashstructure/v2 v2.0.2
 ## explicit; go 1.14
 github.com/mitchellh/hashstructure/v2
-# github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba
+# github.com/moby/buildkit v0.11.4
 ## explicit; go 1.18
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types