Scrub user and group names from layer diffs

When generating layer diffs or extracting container contents, scrub the user and group name fields in tar headers before saving them. Signed-off-by: Nalin Dahyabhai <[email protected]>
flouthoc · Aug 10, 2022 · da4647b · da4647b
1 parent 5c081c0
commit da4647b
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/image.go b/image.go
@@ -430,6 +430,16 @@ func (i *containerImageRef) NewImageSource(ctx context.Context, sc *types.System
 			return nil, fmt.Errorf("error compressing %s: %w", what, err)
 		}
 		writer := io.MultiWriter(writeCloser, srcHasher.Hash())
+		// Scrub any local user names that might correspond to UIDs or GIDs of
+		// files in this layer.
+		{
+			nestedWriteCloser := ioutils.NewWriteCloserWrapper(writer, writeCloser.Close)
+			writeCloser = newTarFilterer(nestedWriteCloser, func(hdr *tar.Header) (bool, bool, io.Reader) {
+				hdr.Uname, hdr.Gname = "", ""
+				return false, false, nil
+			})
+			writer = io.Writer(writeCloser)
+		}
 		// Use specified timestamps in the layer, if we're doing that for
 		// history entries.
 		if i.created != nil {

diff --git a/tests/commit.bats b/tests/commit.bats
@@ -305,3 +305,24 @@ load helpers
   run_buildah commit --authfile ${TEST_SCRATCH_DIR}/test.auth $WITH_POLICY_JSON --tls-verify=false $cid docker://localhost:${REGISTRY_PORT}/buildah/my-busybox
   expect_output --substring "Writing manifest to image destination"
 }
+
+@test "commit-without-names" {
+  _prefetch busybox
+  run_buildah from --quiet --pull=false $WITH_POLICY_JSON busybox
+  cid=$output
+  run_buildah run $cid touch /testfile
+  run_buildah run $cid chown $(id -u):$(id -g) /testfile
+  run_buildah commit $cid dir:${TEST_SCRATCH_DIR}/new-image
+  config=$(jq -r .config.digest ${TEST_SCRATCH_DIR}/new-image/manifest.json)
+  echo "config blob is $config"
+  diffid=$(jq -r '.rootfs.diff_ids[-1]' ${TEST_SCRATCH_DIR}/new-image/${config##*:})
+  echo "new layer is $diffid"
+  run_buildah copy $cid ${TEST_SCRATCH_DIR}/new-image/${diffid##*:} /testdiff.tar
+  # use in-container version of tar to avoid worrying about differences in
+  # output formats between tar implementations
+  run_buildah run $cid tar tvf /testdiff.tar testfile
+  echo "new file looks like [$output]"
+  # ownership information should be forced to be in number/number format
+  # instead of name/name because the names are gone
+  assert "$output" =~ $(id -u)/$(id -g)
+}