From f158342d681744a5495ca7fa0404e2c2fb5b1d22 Mon Sep 17 00:00:00 2001 From: mkosiarc Date: Mon, 1 Jul 2024 10:33:11 +0200 Subject: [PATCH] Check broken symlinks and don't fail on them unnecessarily Previously, we were using the -f option for the readlink command. This means that if the symlink was broken (pointing to nonexistent file), the file path was not evaluated and the readlink command failed which meant that the git clone task failed as well. By using the -m option, the symlink path will be evaluated every time. This means that we will not break builds that contain broken symlinks pointing to nonexistent files within the directory. However, if the symlink is pointing to nonexistent file OUTSIDE of the repo, we will fail the task, as expected to avoid security concerns. STONEBLD-2492 Signed-off-by: mkosiarc --- task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml | 2 +- task/git-clone/0.1/git-clone.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index ee94e893aa..7e1aa19cc4 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -263,7 +263,7 @@ spec: check_symlinks() { FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false while read symlink; do - target=$(readlink -f "$symlink") + target=$(readlink -m "$symlink") if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink" FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml index 53f101ca77..6fb6735920 100644 --- a/task/git-clone/0.1/git-clone.yaml +++ b/task/git-clone/0.1/git-clone.yaml @@ -265,7 +265,7 @@ spec: FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false while read symlink do - target=$(readlink -f "$symlink") + target=$(readlink -m "$symlink") if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink" FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true