From 66b4d497f8db0ae4dde3b4fb47a0aaff73922604 Mon Sep 17 00:00:00 2001 From: mkosiarc Date: Mon, 1 Jul 2024 10:33:11 +0200 Subject: [PATCH] Check broken symlinks and don't fail on them unnecessarily Previously, we were using the -f option for the readlink command. This means that if the symlink was broken (pointing to nonexistent file), the file path was not evaluated and the readlink command failed which meant that the git clone task failed as well. By using the -m option, the symlink path will be evaluated every time. This means that we will not break builds that contain broken symlinks pointing to nonexistent files within the directory. However, if the symlink is pointing to nonexistent file OUTSIDE of the repo, we will fail the task, as expected to avoid security concerns. STONEBLD-2492 Signed-off-by: mkosiarc --- task/git-clone/0.1/git-clone.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml index 53f101ca77..6fb6735920 100644 --- a/task/git-clone/0.1/git-clone.yaml +++ b/task/git-clone/0.1/git-clone.yaml @@ -265,7 +265,7 @@ spec: FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false while read symlink do - target=$(readlink -f "$symlink") + target=$(readlink -m "$symlink") if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink" FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true