add,copy: if multiple sources are used in ADD or COPY then dest must end with a slash
#4183
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
flouthoc
force-pushed
the
add-disallow-dest-dir-without-slash
branch
from
7274705
to
7ab4388
Compare
add.go
Outdated
| // Check length before accessing `0` | ||
| // to avoid `index out of range`. | ||
| if len(sources) == 1 { | ||
| if strings.HasSuffix(sources[0], "*") { |
There was a problem hiding this comment.
Should you check for len(sources)==0 and return an error?
There was a problem hiding this comment.
Why is a suffix of "*" the special case here?
There was a problem hiding this comment.
Special case is here to match with the current behavior of docker #4167 (comment)
| } | ||
| } | ||
| if multipleSources { | ||
| if !strings.HasSuffix(destination, "/") { |
There was a problem hiding this comment.
Does docker enforce this? Or does it just check if destination is not a directory then throw an error?
There was a problem hiding this comment.
Just chiming in that if the directory already exists, podman/buildah does the expected (?) thing and copies all the matches of the wildcard into the existing directory
Re-using the reproducer from #4167, if you modify the Dockerfile to this
FROM alpine:latest as builder
RUN mkdir /spam
COPY spam/*.txt /spamThen it copies all the files
There was a problem hiding this comment.
@rhatdan I think docker checks this cause rule is
* If multiple <src> resources are specified, either directly or due to the use of a wildcard, then <dest> must be a directory, and it must end with a slash /.
There was a problem hiding this comment.
I still believe this should be done on in the copier.
Basically if the SRC contains more then one file and the DEST is not a directory, then it should return an error.
The directory should not be checked for ending with /
There was a problem hiding this comment.
@rhatdan Yes the function is validateSourceAndDest to validates this using filepath.Glob( there is also a test which verifies the same, i can add few more test cases if this is a concern and move it to copier.
There was a problem hiding this comment.
We're already globbing inside a chroot further down, when we call copier.Stat(), and we're probably better off doing this sort of check just after that, when we have all of the facts. Doing this before that means that the current iteration of this patch passes URLs for remote locations to filepath.Glob(), which is a bug.
There was a problem hiding this comment.
I guess they do document the following:
If <dest> does not end with a trailing slash, it will be considered a regular file and the contents of <src> will be written at <dest>.
But @nalind question above has not been addressed
There was a problem hiding this comment.
Basically if the SRC contains more then one file and the DEST is not a directory, then it should return an error.
The directory should not be checked for ending with /
+1 to this, it sounds reasonable to me that if the destination already exists then the trailing slash doesn't need to be enforced. It wouldn't be 100% consistent with docker, but isn't it likely that some users are already doing this? E.g. copying things to /etc or other standard dirs
There was a problem hiding this comment.
@chmeliik Yes that is already addressed I just need to move code around as per @nalind 's suggestion here #4183 (comment) , I'll amend this.
There was a problem hiding this comment.
Done moved to just after we split local and remote sources and only validating local sources now.
flouthoc
force-pushed
the
add-disallow-dest-dir-without-slash
branch
3 times, most recently
from
e60a9ef
to
f1d47cc
Compare
|
I know I lost my mind a long time ago, but didn't we enforce an ending slash at one point and then removed the enforcement as it was counter to Docker? |
|
A friendly reminder that this PR had no activity for 30 days. |
|
@flouthoc any chance you get get back to this one? |
Sure yes, I'll amend this again in this week. |
|
A friendly reminder that this PR had no activity for 30 days. |
|
@flouthoc Any movement on this? |
|
A friendly reminder that this PR had no activity for 30 days. |
|
@flouthoc Reminder |
|
A friendly reminder that this PR had no activity for 30 days. |
|
@flouthoc after the release lets get back to this one. |
|
@rhatdan Yes getting back on this and closing this one. |
flouthoc
force-pushed
the
add-disallow-dest-dir-without-slash
branch
from
f1d47cc
to
33bcb72
Compare
When using `ADD` or `COPY` enforce the condition that destination must look like a directory by making sure that destination ends with a slash `/`. This ensures that we don't hit undefined behaviour for example with the use case `COPY some/* /oncontainer` it is not clear that `oncontainer` will be a directory or a file, users expect it to be a directory if `*` wildcard resolves to multiple files and logically if wildcard resolves to single file then it should be a directory, since this condition is undefined and not in parity with docker so lets drop support for it. Docker's defined rule: * If multiple <src> resources are specified, either directly or due to the use of a wildcard, then <dest> must be a directory, and it must end with a slash /. Reference: https://docs.docker.com/engine/reference/builder/#add Closes: containers#4167 Signed-off-by: Aditya R <arajan@redhat.com>
Accoring to new validation in ADD and COPY if there are multiple sources then destination must specify that it is a directory Signed-off-by: Aditya R <arajan@redhat.com>
flouthoc
force-pushed
the
add-disallow-dest-dir-without-slash
branch
from
33bcb72
to
86a9ac4
Compare
|
A friendly reminder that this PR had no activity for 30 days. |
|
LGTM |
|
LGTM, but would like a head nod from @vrothberg or @nalind to make sure comments were addressed. |
|
A friendly reminder that this PR had no activity for 30 days. |
|
This still needs to be reworked. |
When using
ADDorCOPYenforce the condition that destination mustlook like a directory by making sure that destination ends with a slash
/.This ensures that we don't hit undefined behaviour for example with
the use case
COPY some/* /oncontainerit is not clear thatoncontainerwill be a directory or a file, users expect it to be adirectory if
*wildcard resolves to multiple files and logically ifwildcard resolves to single file then it should be a directory, since
this condition is undefined and not in parity with docker so lets drop
support for it.
Docker's defined rule:
<src>resources are specified, either directly or due to theuse of a wildcard, then
<dest>must be a directory, and it must end with a slash/.Reference: https://docs.docker.com/engine/reference/builder/#add
Closes: #4167