E53F contenthash: do not follow nested symlinks when computing checksum by jsternberg · Pull Request #6220 · moby/buildkit · GitHub
[go: up one dir, main page]
Skip to content

contenthash: do not follow nested symlinks when computing checksum #6220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2025
Merged

contenthash: do not follow nested symlinks when computing checksum #6220

merged 1 commit into from
Sep 19, 2025

Conversation

jsternberg
Copy link
Collaborator
@jsternberg jsternberg commented Sep 12, 2025
edited
Loading

Nested symlinks were not intended to be followed after the first level
of wildcard expansion. When include/exclude patterns were used or a
wildcard was present higher up in the tree, we would erroneously follow
ALL symlinks to compute the hash.

When a symlink was broken, this would result in an error. We weren't
supposed to be following the symlinks at all.

This fixes things by changing includedPaths to also return whether a
path should follow links. If a parent directory exists for the path,
then the symlink is not followed.

Fixes #4946.

@jsternberg jsternberg force-pushed the copy-broken-symlink-with-exclude branch from 50bd827 to 0c3f539 Compare September 12, 2025 16:30
tonistiigi
tonistiigi reviewed Sep 12, 2025
View reviewed changes
Copy link
Member
@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add (some) integration tests for this as well. Current unit tests only check the cache checksum computation, not that there isn't an error in the actual copy phase of the feature or that the correct files are being copied.

cache/contenthash/checksum_test.go
expectedSym = digest.Digest("sha256:e14a98332f46b81993ff4a3b7898bb00fc3d245d84e4c42e57c9ee6b129c7c41")

// Same with wildcard used.
dgst, err = cc.Checksum(context.TODO(), ref, "fo?", ChecksumOpts{FollowLinks: true, Wildcard: true}, nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this one returning a different checksum than foo. I guess the last one is returning a different checksum because it is the list of all the subpaths (technically we could detect the case where excludepatterns doesn't match anything but that doesn't need to be part of this PR if it is new optimization).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea it returns a different checksum because the non-wildcard one computes the checksum of foo by itself and this one computes the checksum of foo and the contents without following the symlink.

Copy link
Member
@tonistiigi tonistiigi Sep 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checksum of foo by itself

But "foo itself" also contains the contents (without following the symlink).

This is likely unrelated to this change, but I've forgotten what the difference is because afaics these commands copy identical files.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added an integration test for this.

@jsternberg jsternberg force-pushed the copy-broken-symlink-with-exclude branch from 0c3f539 to 0a83b16 Compare September 12, 2025 19:03
@jsternberg jsternberg force-pushed the copy-broken-symlink-with-exclude branch 3 times, most recently from b69f184 to e04696e Compare September 12, 2025 21:04
@jsternberg
contenthash: do not follow nested symlinks when computing checksum
74d1779 
Nested symlinks were not intended to be followed after the first level
of wildcard expansion. When include/exclude patterns were used or a
wildcard was present higher up in the tree, we would erroneously follow
ALL symlinks to compute the hash.

When a symlink was broken, this would result in an error. We weren't
supposed to be following the symlinks at all.

This fixes things by changing `includedPaths` to also return whether a
path should follow links. If a parent directory exists for the path,
then the symlink is not followed.

Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
@jsternberg jsternberg force-pushed the copy-broken-symlink-with-exclude branch from e04696e to 74d1779 Compare September 12, 2025 23:02
@thompson-shaun thompson-shaun added this to the v0.25.0 milestone Sep 15, 2025
@jsternberg jsternberg mentioned this pull request Sep 19, 2025
Merged
@tonistiigi tonistiigi mentioned this pull request Sep 19, 2025
Open
@tonistiigi
Copy link
Member

Opened a follow-up issue in #6233 , but doesn't seem to be related to changes in this PR.

@tonistiigi tonistiigi merged commit f319a77 into moby:master Sep 19, 2025
168 of 169 checks passed
@jsternberg jsternberg deleted the copy-broken-symlink-with-exclude branch September 20, 2025 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@crazy-max crazy-max Awaiting requested review from crazy-max

Assignees

@jsternberg jsternberg

Labels
area/dockerfile area/frontend area/storage area/testing
Projects
None yet
Milestone
v0.25.0
Development

Successfully merging this pull request may close these issues.

dockerfile:1.7-labs: COPY fails where there exists broken symbolic link and --exclude is specified
3 participants
@jsternberg @tonistiigi @thompson-shaun
0