pkg/containerfs: deprecate ResolveScopedPath

thaJeztah · thaJeztah · commit b8f2caa80ab9 · 2024-01-02T15:32:31.000+01:00
If was a very shallow wrapper around symlink.FollowSymlinkInScope, so inline
that code instead.

Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/builder/dockerfile/copy.go b/builder/dockerfile/copy.go
@@ -17,13 +17,13 @@ import (
 	"github.com/docker/docker/builder/remotecontext"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/containerfs"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/longpath"
 	"github.com/docker/docker/pkg/progress"
 	"github.com/docker/docker/pkg/streamformatter"
 	"github.com/docker/docker/pkg/system"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/sys/symlink"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
@@ -45,7 +45,7 @@ type copyInfo struct {
 }
 
 func (c copyInfo) fullPath() (string, error) {
-	return containerfs.ResolveScopedPath(c.root, c.path)
+	return symlink.FollowSymlinkInScope(filepath.Join(c.root, c.path), c.root)
 }
 
 func newCopyInfoFromSource(source builder.Source, path string, hash string) copyInfo {
diff --git a/builder/remotecontext/archive.go b/builder/remotecontext/archive.go
@@ -8,9 +8,9 @@ import (
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/docker/pkg/containerfs"
 	"github.com/docker/docker/pkg/longpath"
 	"github.com/docker/docker/pkg/tarsum"
+	"github.com/moby/sys/symlink"
 	"github.com/pkg/errors"
 )
 
@@ -117,7 +117,7 @@ func (c *archiveContext) Hash(path string) (string, error) {
 
 func normalize(path string, root string) (cleanPath, fullPath string, err error) {
 	cleanPath = filepath.Clean(string(filepath.Separator) + path)[1:]
-	fullPath, err = containerfs.ResolveScopedPath(root, path)
+	fullPath, err = symlink.FollowSymlinkInScope(filepath.Join(root, path), root)
 	if err != nil {
 		return "", "", errors.Wrapf(err, "forbidden path outside the build context: %s (%s)", path, cleanPath)
 	}
diff --git a/builder/remotecontext/detect.go b/builder/remotecontext/detect.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"runtime"
 	"strings"
 
@@ -15,10 +16,10 @@ import (
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/docker/docker/errdefs"
-	"github.com/docker/docker/pkg/containerfs"
 	"github.com/moby/buildkit/frontend/dockerfile/parser"
 	"github.com/moby/patternmatcher"
 	"github.com/moby/patternmatcher/ignorefile"
+	"github.com/moby/sys/symlink"
 	"github.com/pkg/errors"
 )
 
@@ -177,7 +178,8 @@ func StatAt(remote builder.Source, path string) (os.FileInfo, error) {
 
 // FullPath is a helper for getting a full path for a path from a source
 func FullPath(remote builder.Source, path string) (string, error) {
-	fullPath, err := containerfs.ResolveScopedPath(remote.Root(), path)
+	remoteRoot := remote.Root()
+	fullPath, err := symlink.FollowSymlinkInScope(filepath.Join(remoteRoot, path), remoteRoot)
 	if err != nil {
 		if runtime.GOOS == "windows" {
 			return "", fmt.Errorf("failed to resolve scoped path %s (%s): %s. Possible cause is a forbidden path outside the build context", path, fullPath, err)
diff --git a/container/container.go b/container/container.go
@@ -310,8 +310,8 @@ func (container *Container) GetResourcePath(path string) (string, error) {
 		return "", errors.New("GetResourcePath: BaseFS of container " + container.ID + " is unexpectedly empty")
 	}
 	// IMPORTANT - These are paths on the OS where the daemon is running, hence
-	// any filepath operations must be done in an OS agnostic way.
-	r, e := containerfs.ResolveScopedPath(container.BaseFS, containerfs.CleanScopedPath(path))
+	// any filepath operations must be done in an OS-agnostic way.
+	r, e := symlink.FollowSymlinkInScope(filepath.Join(container.BaseFS, containerfs.CleanScopedPath(path)), container.BaseFS)
 
 	// Log this here on the daemon side as there's otherwise no indication apart
 	// from the error being propagated all the way back to the client. This makes
diff --git a/pkg/containerfs/containerfs.go b/pkg/containerfs/containerfs.go
@@ -20,6 +20,8 @@ func CleanScopedPath(path string) string {
 
 // ResolveScopedPath evaluates the given path scoped to the root.
 // For example, if root=/a, and path=/b/c, then this function would return /a/b/c.
+//
+// Deprecated: use [symlink.FollowSymlinkInScope].
 func ResolveScopedPath(root, path string) (string, error) {
 	return symlink.FollowSymlinkInScope(filepath.Join(root, path), root)
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ func CleanScopedPath(path string) string {`
`20`	`20`
`21`	`21`	`// ResolveScopedPath evaluates the given path scoped to the root.`
`22`	`22`	`// For example, if root=/a, and path=/b/c, then this function would return /a/b/c.`
	`23`	`+//`
	`24`	`+// Deprecated: use [symlink.FollowSymlinkInScope].`
`23`	`25`	`func ResolveScopedPath(root, path string) (string, error) {`
`24`	`26`	`return symlink.FollowSymlinkInScope(filepath.Join(root, path), root)`
`25`	`27`	`}`