diff options
author | Sebastiaan van Stijn <github@gone.nl> | 2023-03-06 17:21:15 +0100 |
---|---|---|
committer | Sebastiaan van Stijn <github@gone.nl> | 2023-03-06 17:21:15 +0100 |
commit | b0b3c62a840611bfd71e3f989122b065d70e1ca4 (patch) | |
tree | 5cff4305af8f128bbbc95e45639490c62cdf5193 /vendor | |
parent | 6f719c74a9ef01d4a48df9b16e20329f8908fa2d (diff) | |
download | docker-b0b3c62a840611bfd71e3f989122b065d70e1ca4.tar.gz |
vendor: github.com/moby/buildkit v0.11.4
- provenance: ensure URLs are redacted before written (fixes CVE-2023-26054)
full diff: https://github.com/moby/buildkit/compare/218e934edfba...v0.11.4
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Diffstat (limited to 'vendor')
-rw-r--r-- | vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go | 3 | ||||
-rw-r--r-- | vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go | 13 | ||||
-rw-r--r-- | vendor/modules.txt | 2 |
3 files changed, 17 insertions, 1 deletions
diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go index a176e9875f..6252ebc3cf 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go @@ -5,6 +5,7 @@ import ( distreference "github.com/docker/distribution/reference" "github.com/moby/buildkit/solver/result" + "github.com/moby/buildkit/util/urlutil" digest "github.com/opencontainers/go-digest" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" ) @@ -190,6 +191,7 @@ func (c *Capture) AddLocal(l LocalSource) { } func (c *Capture) AddGit(g GitSource) { + g.URL = urlutil.RedactCredentials(g.URL) for _, v := range c.Sources.Git { if v.URL == g.URL { return @@ -199,6 +201,7 @@ func (c *Capture) AddGit(g GitSource) { } func (c *Capture) AddHTTP(h HTTPSource) { + h.URL = urlutil.RedactCredentials(h.URL) for _, v := range c.Sources.HTTP { if v.URL == h.URL { return diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go index 7608f5cfae..a7b5a78cca 100644 --- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go +++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go @@ -7,6 +7,7 @@ import ( slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" "github.com/moby/buildkit/util/purl" + "github.com/moby/buildkit/util/urlutil" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/package-url/packageurl-go" ) @@ -151,6 +152,7 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) { } else { inv.ConfigSource.URI = v } + inv.ConfigSource.URI = urlutil.RedactCredentials(inv.ConfigSource.URI) delete(c.Args, contextKey) } @@ -162,6 +164,9 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) { vcs := make(map[string]string) for k, v := range c.Args { if strings.HasPrefix(k, "vcs:") { + if k == "vcs:source" { + v = urlutil.RedactCredentials(v) + } delete(c.Args, k) if v != "" { vcs[strings.TrimPrefix(k, "vcs:")] = v @@ -231,6 +236,11 @@ func FilterArgs(m map[string]string) map[string]string { "platform": {}, "cache-imports": {}, } + const defaultContextKey = "context" + contextKey := defaultContextKey + if v, ok := m["contextkey"]; ok && v != "" { + contextKey = v + } out := make(map[string]string) for k, v := range m { if _, ok := hostSpecificArgs[k]; ok { @@ -239,6 +249,9 @@ func FilterArgs(m map[string]string) map[string]string { if strings.HasPrefix(k, "attest:") { continue } + if k == contextKey || strings.HasPrefix(k, defaultContextKey+":") { + v = urlutil.RedactCredentials(v) + } out[k] = v } return out diff --git a/vendor/modules.txt b/vendor/modules.txt index b60e18a051..86e26a65bd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -542,7 +542,7 @@ github.com/mistifyio/go-zfs # github.com/mitchellh/hashstructure/v2 v2.0.2 ## explicit; go 1.14 github.com/mitchellh/hashstructure/v2 -# github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba +# github.com/moby/buildkit v0.11.4 ## explicit; go 1.18 github.com/moby/buildkit/api/services/control github.com/moby/buildkit/api/types |