diff options
author | Sebastiaan van Stijn <github@gone.nl> | 2023-03-06 17:21:15 +0100 |
---|---|---|
committer | Sebastiaan van Stijn <github@gone.nl> | 2023-03-06 17:21:15 +0100 |
commit | b0b3c62a840611bfd71e3f989122b065d70e1ca4 (patch) | |
tree | 5cff4305af8f128bbbc95e45639490c62cdf5193 | |
parent | 6f719c74a9ef01d4a48df9b16e20329f8908fa2d (diff) | |
download | docker-b0b3c62a840611bfd71e3f989122b065d70e1ca4.tar.gz |
vendor: github.com/moby/buildkit v0.11.4
- provenance: ensure URLs are redacted before written (fixes CVE-2023-26054)
full diff: https://github.com/moby/buildkit/compare/218e934edfba...v0.11.4
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-rw-r--r-- | vendor.mod | 2 | ||||
-rw-r--r-- | vendor.sum | 4 | ||||
-rw-r--r-- | vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go | 3 | ||||
-rw-r--r-- | vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go | 13 | ||||
-rw-r--r-- | vendor/modules.txt | 2 |
5 files changed, 20 insertions, 4 deletions
diff --git a/vendor.mod b/vendor.mod index 3d41b998de..7e620250f9 100644 --- a/vendor.mod +++ b/vendor.mod @@ -56,7 +56,7 @@ require ( github.com/klauspost/compress v1.15.12 github.com/miekg/dns v1.1.43 github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible - github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba + github.com/moby/buildkit v0.11.4 github.com/moby/ipvs v1.1.0 github.com/moby/locker v1.0.1 github.com/moby/patternmatcher v0.5.0 diff --git a/vendor.sum b/vendor.sum index abcf6ae7e2..ac7a8070bf 100644 --- a/vendor.sum +++ b/vendor.sum @@ -755,8 +755,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= -github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba h1:sDHdZsyWOKBa1hYp0yk5a5bIWQgfa3ftc+c1nBSA+dI= -github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo= +github.com/moby/buildkit v0.11.4 h1:mleVHr+n7HUD65QNUkgkT3d8muTzhYUoHE9FM3Ej05s= +github.com/moby/buildkit v0.11.4/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo= github.com/moby/ipvs v1.1.0 h1:ONN4pGaZQgAx+1Scz5RvWV4Q7Gb+mvfRh3NsPS+1XQQ= github.com/moby/ipvs v1.1.0/go.mod h1:4VJMWuf098bsUMmZEiD4Tjk/O7mOn3l1PTD3s4OoYAs= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go index a176e9875f..6252ebc3cf 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go @@ -5,6 +5,7 @@ import ( distreference "github.com/docker/distribution/reference" "github.com/moby/buildkit/solver/result" + "github.com/moby/buildkit/util/urlutil" digest "github.com/opencontainers/go-digest" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" ) @@ -190,6 +191,7 @@ func (c *Capture) AddLocal(l LocalSource) { } func (c *Capture) AddGit(g GitSource) { + g.URL = urlutil.RedactCredentials(g.URL) for _, v := range c.Sources.Git { if v.URL == g.URL { return @@ -199,6 +201,7 @@ func (c *Capture) AddGit(g GitSource) { } func (c *Capture) AddHTTP(h HTTPSource) { + h.URL = urlutil.RedactCredentials(h.URL) for _, v := range c.Sources.HTTP { if v.URL == h.URL { return diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go index 7608f5cfae..a7b5a78cca 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go @@ -7,6 +7,7 @@ import ( slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" "github.com/moby/buildkit/util/purl" + "github.com/moby/buildkit/util/urlutil" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/package-url/packageurl-go" ) @@ -151,6 +152,7 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) { } else { inv.ConfigSource.URI = v } + inv.ConfigSource.URI = urlutil.RedactCredentials(inv.ConfigSource.URI) delete(c.Args, contextKey) } @@ -162,6 +164,9 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) { vcs := make(map[string]string) for k, v := range c.Args { if strings.HasPrefix(k, "vcs:") { + if k == "vcs:source" { + v = urlutil.RedactCredentials(v) + } delete(c.Args, k) if v != "" { vcs[strings.TrimPrefix(k, "vcs:")] = v @@ -231,6 +236,11 @@ func FilterArgs(m map[string]string) map[string]string { "platform": {}, "cache-imports": {}, } + const defaultContextKey = "context" + contextKey := defaultContextKey + if v, ok := m["contextkey"]; ok && v != "" { + contextKey = v + } out := make(map[string]string) for k, v := range m { if _, ok := hostSpecificArgs[k]; ok { @@ -239,6 +249,9 @@ func FilterArgs(m map[string]string) map[string]string { if strings.HasPrefix(k, "attest:") { continue } + if k == contextKey || strings.HasPrefix(k, defaultContextKey+":") { + v = urlutil.RedactCredentials(v) + } out[k] = v } return out diff --git a/vendor/modules.txt b/vendor/modules.txt index b60e18a051..86e26a65bd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -542,7 +542,7 @@ github.com/mistifyio/go-zfs # github.com/mitchellh/hashstructure/v2 v2.0.2 ## explicit; go 1.14 github.com/mitchellh/hashstructure/v2 -# github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba +# github.com/moby/buildkit v0.11.4 ## explicit; go 1.18 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types |