vendor: github.com/moby/buildkit v0.11.4

- provenance: ensure URLs are redacted before written (fixes CVE-2023-26054)

full diff: https://github.com/moby/buildkit/compare/218e934edfba...v0.11.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

3 files changed, 17 insertions, 1 deletions

diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go
index a176e9875f..6252ebc3cf 100644
--- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go
+++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/capture.go
@@ -5,6 +5,7 @@ import (
 
 	distreference "github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/solver/result"
+	"github.com/moby/buildkit/util/urlutil"
 	digest "github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -190,6 +191,7 @@ func (c *Capture) AddLocal(l LocalSource) {
 }
 
 func (c *Capture) AddGit(g GitSource) {
+	g.URL = urlutil.RedactCredentials(g.URL)
 	for _, v := range c.Sources.Git {
 		if v.URL == g.URL {
 			return
@@ -199,6 +201,7 @@ func (c *Capture) AddGit(g GitSource) {
 }
 
 func (c *Capture) AddHTTP(h HTTPSource) {
+	h.URL = urlutil.RedactCredentials(h.URL)
 	for _, v := range c.Sources.HTTP {
 		if v.URL == h.URL {
 			return
diff --git a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go
index 7608f5cfae..a7b5a78cca 100644
--- a/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go
+++ b/vendor/github.com/moby/buildkit/solver/llbsolver/provenance/predicate.go
@@ -7,6 +7,7 @@ import (
 	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	"github.com/moby/buildkit/util/purl"
+	"github.com/moby/buildkit/util/urlutil"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/package-url/packageurl-go"
 )
@@ -151,6 +152,7 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) {
 		} else {
 			inv.ConfigSource.URI = v
 		}
+		inv.ConfigSource.URI = urlutil.RedactCredentials(inv.ConfigSource.URI)
 		delete(c.Args, contextKey)
 	}
 
@@ -162,6 +164,9 @@ func NewPredicate(c *Capture) (*ProvenancePredicate, error) {
 	vcs := make(map[string]string)
 	for k, v := range c.Args {
 		if strings.HasPrefix(k, "vcs:") {
+			if k == "vcs:source" {
+				v = urlutil.RedactCredentials(v)
+			}
 			delete(c.Args, k)
 			if v != "" {
 				vcs[strings.TrimPrefix(k, "vcs:")] = v
@@ -231,6 +236,11 @@ func FilterArgs(m map[string]string) map[string]string {
 		"platform":           {},
 		"cache-imports":      {},
 	}
+	const defaultContextKey = "context"
+	contextKey := defaultContextKey
+	if v, ok := m["contextkey"]; ok && v != "" {
+		contextKey = v
+	}
 	out := make(map[string]string)
 	for k, v := range m {
 		if _, ok := hostSpecificArgs[k]; ok {
@@ -239,6 +249,9 @@ func FilterArgs(m map[string]string) map[string]string {
 		if strings.HasPrefix(k, "attest:") {
 			continue
 		}
+		if k == contextKey || strings.HasPrefix(k, defaultContextKey+":") {
+			v = urlutil.RedactCredentials(v)
+		}
 		out[k] = v
 	}
 	return out
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b60e18a051..86e26a65bd 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -542,7 +542,7 @@ github.com/mistifyio/go-zfs
 # github.com/mitchellh/hashstructure/v2 v2.0.2
 ## explicit; go 1.14
 github.com/mitchellh/hashstructure/v2
-# github.com/moby/buildkit v0.11.4-0.20230228113103-218e934edfba
+# github.com/moby/buildkit v0.11.4
 ## explicit; go 1.18
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types