From c577ee7989fd3eab39cb21c96d95430cc6567b84 Mon Sep 17 00:00:00 2001 From: Greg Magolan Date: Tue, 2 Apr 2024 19:16:20 -0400 Subject: [PATCH] refactor: make unresolved_symlinks_enabled attribute of js_binary mandatory (#1571) --- docs/js_binary.md | 4 ++-- js/private/js_binary.bzl | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/js_binary.md b/docs/js_binary.md index 28343bcf0..7b1d1b15c 100644 --- a/docs/js_binary.md +++ b/docs/js_binary.md @@ -87,7 +87,7 @@ The following environment variables are made available to the Node.js runtime ba | node_toolchain | The Node.js toolchain to use for this target.

See https://bazelbuild.github.io/rules_nodejs/Toolchains.html

Typically this is left unset so that Bazel automatically selects the right Node.js toolchain for the target platform. See https://bazel.build/extending/toolchains#toolchain-resolution for more information. | Label | optional | None | | patch_node_fs | Patch the to Node.js fs API (https://nodejs.org/api/fs.html) for this node program to prevent the program from following symlinks out of the execroot, runfiles and the sandbox.

When enabled, js_binary patches the Node.js sync and async fs API functions lstat, readlink, realpath, readdir and opendir so that the node program being run cannot resolve symlinks out of the execroot and the runfiles tree. When in the sandbox, these patches prevent the program being run from resolving symlinks out of the sandbox.

When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks which can lead to non-hermetic behavior. | Boolean | optional | True | | preserve_symlinks_main | When True, the --preserve-symlinks-main flag is passed to node.

This prevents node from following an ESM entry script out of runfiles and the sandbox. This can happen for .mjs ESM entry points where the fs node patches, which guard the runfiles and sandbox, are not applied. See https://github.com/aspect-build/rules_js/issues/362 for more information. Once #362 is resolved, the default for this attribute can be set to False.

This flag was added in Node.js v10.2.0 (released 2018-05-23). If your node toolchain is configured to use a Node.js version older than this you'll need to set this attribute to False.

See https://nodejs.org/api/cli.html#--preserve-symlinks-main for more information. | Boolean | optional | True | -| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the --allow_unresolved_symlinks flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | optional | False | +| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the --allow_unresolved_symlinks flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | required | | @@ -147,7 +147,7 @@ the contract between Bazel and a test runner. | node_toolchain | The Node.js toolchain to use for this target.

See https://bazelbuild.github.io/rules_nodejs/Toolchains.html

Typically this is left unset so that Bazel automatically selects the right Node.js toolchain for the target platform. See https://bazel.build/extending/toolchains#toolchain-resolution for more information. | Label | optional | None | | patch_node_fs | Patch the to Node.js fs API (https://nodejs.org/api/fs.html) for this node program to prevent the program from following symlinks out of the execroot, runfiles and the sandbox.

When enabled, js_binary patches the Node.js sync and async fs API functions lstat, readlink, realpath, readdir and opendir so that the node program being run cannot resolve symlinks out of the execroot and the runfiles tree. When in the sandbox, these patches prevent the program being run from resolving symlinks out of the sandbox.

When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks which can lead to non-hermetic behavior. | Boolean | optional | True | | preserve_symlinks_main | When True, the --preserve-symlinks-main flag is passed to node.

This prevents node from following an ESM entry script out of runfiles and the sandbox. This can happen for .mjs ESM entry points where the fs node patches, which guard the runfiles and sandbox, are not applied. See https://github.com/aspect-build/rules_js/issues/362 for more information. Once #362 is resolved, the default for this attribute can be set to False.

This flag was added in Node.js v10.2.0 (released 2018-05-23). If your node toolchain is configured to use a Node.js version older than this you'll need to set this attribute to False.

See https://nodejs.org/api/cli.html#--preserve-symlinks-main for more information. | Boolean | optional | True | -| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the --allow_unresolved_symlinks flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | optional | False | +| unresolved_symlinks_enabled | Whether unresolved symlinks are enabled in the current build configuration.

These are enabled with the --allow_unresolved_symlinks flag (named --experimental_allow_unresolved_symlinks in Bazel versions prior to 7.0).

Typical usage of this rule is via a macro which automatically sets this attribute based on a
config_setting rule. See /js/private/BUILD.bazel in rules_js for an example. | Boolean | required | | diff --git a/js/private/js_binary.bzl b/js/private/js_binary.bzl index 3327f4d1c..1e011b4fe 100644 --- a/js/private/js_binary.bzl +++ b/js/private/js_binary.bzl @@ -267,8 +267,7 @@ _ATTRS = { attribute based on a `config_setting` rule. See /js/private/BUILD.bazel in rules_js for an example. """, - # TODO(2.0): make this mandatory so that downstream binary rules that inherit these attributes are required to set it - mandatory = False, + mandatory = True, ), "node_toolchain": attr.label( doc = """The Node.js toolchain to use for this target.