diff --git a/builder/dockerfile/copy.go b/builder/dockerfile/copy.go index 6370871f18..42b4808db4 100644 --- a/builder/dockerfile/copy.go +++ b/builder/dockerfile/copy.go @@ -17,13 +17,13 @@ import ( "github.com/docker/docker/builder/remotecontext" "github.com/docker/docker/builder/remotecontext/urlutil" "github.com/docker/docker/pkg/archive" - "github.com/docker/docker/pkg/containerfs" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/longpath" "github.com/docker/docker/pkg/progress" "github.com/docker/docker/pkg/streamformatter" "github.com/docker/docker/pkg/system" "github.com/moby/buildkit/frontend/dockerfile/instructions" + "github.com/moby/sys/symlink" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" ) @@ -45,7 +45,7 @@ type copyInfo struct { } func (c copyInfo) fullPath() (string, error) { - return containerfs.ResolveScopedPath(c.root, c.path) + return symlink.FollowSymlinkInScope(filepath.Join(c.root, c.path), c.root) } func newCopyInfoFromSource(source builder.Source, path string, hash string) copyInfo { diff --git a/builder/remotecontext/archive.go b/builder/remotecontext/archive.go index bfe937b9aa..52811e1700 100644 --- a/builder/remotecontext/archive.go +++ b/builder/remotecontext/archive.go @@ -8,9 +8,9 @@ import ( "github.com/docker/docker/builder" "github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/chrootarchive" - "github.com/docker/docker/pkg/containerfs" "github.com/docker/docker/pkg/longpath" "github.com/docker/docker/pkg/tarsum" + "github.com/moby/sys/symlink" "github.com/pkg/errors" ) @@ -117,7 +117,7 @@ func (c *archiveContext) Hash(path string) (string, error) { func normalize(path string, root string) (cleanPath, fullPath string, err error) { cleanPath = filepath.Clean(string(filepath.Separator) + path)[1:] - fullPath, err = containerfs.ResolveScopedPath(root, path) + fullPath, err = symlink.FollowSymlinkInScope(filepath.Join(root, path), root) if err != nil { return "", "", errors.Wrapf(err, "forbidden path outside the build context: %s (%s)", path, cleanPath) } diff --git a/builder/remotecontext/detect.go b/builder/remotecontext/detect.go index ac120039e6..36c7569f3c 100644 --- a/builder/remotecontext/detect.go +++ b/builder/remotecontext/detect.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "os" + "path/filepath" "runtime" "strings" @@ -15,10 +16,10 @@ import ( "github.com/docker/docker/builder" "github.com/docker/docker/builder/remotecontext/urlutil" "github.com/docker/docker/errdefs" - "github.com/docker/docker/pkg/containerfs" "github.com/moby/buildkit/frontend/dockerfile/parser" "github.com/moby/patternmatcher" "github.com/moby/patternmatcher/ignorefile" + "github.com/moby/sys/symlink" "github.com/pkg/errors" ) @@ -177,7 +178,8 @@ func StatAt(remote builder.Source, path string) (os.FileInfo, error) { // FullPath is a helper for getting a full path for a path from a source func FullPath(remote builder.Source, path string) (string, error) { - fullPath, err := containerfs.ResolveScopedPath(remote.Root(), path) + remoteRoot := remote.Root() + fullPath, err := symlink.FollowSymlinkInScope(filepath.Join(remoteRoot, path), remoteRoot) if err != nil { if runtime.GOOS == "windows" { return "", fmt.Errorf("failed to resolve scoped path %s (%s): %s. Possible cause is a forbidden path outside the build context", path, fullPath, err) diff --git a/container/container.go b/container/container.go index be492a0fa3..3dedd2469d 100644 --- a/container/container.go +++ b/container/container.go @@ -310,8 +310,8 @@ func (container *Container) GetResourcePath(path string) (string, error) { return "", errors.New("GetResourcePath: BaseFS of container " + container.ID + " is unexpectedly empty") } // IMPORTANT - These are paths on the OS where the daemon is running, hence - // any filepath operations must be done in an OS agnostic way. - r, e := containerfs.ResolveScopedPath(container.BaseFS, containerfs.CleanScopedPath(path)) + // any filepath operations must be done in an OS-agnostic way. + r, e := symlink.FollowSymlinkInScope(filepath.Join(container.BaseFS, containerfs.CleanScopedPath(path)), container.BaseFS) // Log this here on the daemon side as there's otherwise no indication apart // from the error being propagated all the way back to the client. This makes diff --git a/pkg/containerfs/containerfs.go b/pkg/containerfs/containerfs.go index 186c138f81..f71bb036c7 100644 --- a/pkg/containerfs/containerfs.go +++ b/pkg/containerfs/containerfs.go @@ -20,6 +20,8 @@ func CleanScopedPath(path string) string { // ResolveScopedPath evaluates the given path scoped to the root. // For example, if root=/a, and path=/b/c, then this function would return /a/b/c. +// +// Deprecated: use [symlink.FollowSymlinkInScope]. func ResolveScopedPath(root, path string) (string, error) { return symlink.FollowSymlinkInScope(filepath.Join(root, path), root) }