fix: Handle when readlink -f goes out of BIN-DIR #1052
Conversation
Noticed that on MacOS readlink -f goes out the sandbox in some cases
|
@thesayyn Notice that the preserve symlink fails on MacOs for rules-python. Not sure how to repro this in CI. |
| if (resolved_path == "") { | ||
| # 1. If readlink -f fails use readlink for relative links | ||
| # 2. Make sure readlink -f doesn't escape BIN_DIR | ||
| if (resolved_path == "" || !(resolved_path ~ bin_dir)) { |
There was a problem hiding this comment.
I believe this is wrong, we need to handle running out of bindir cases for two reasons;
- Execution strategies on macos use symlinks, there readlink might go out of sandbox, so we need to find things relative to execroot
- When running the action with no sandbox. eg
tags = ["local"]
There was a problem hiding this comment.
Sorry, is it the checking logic that is wrong, or the reasons stated for the check wrong
There was a problem hiding this comment.
Its insufficent is the problem. This reference implementation that correctly detects if a file is a symlink under most circumstances
https://github.com/aspect-build/rules_js/blob/1c1823d605578d7266fad8b5410d0aae6b9bfc6d/js/private/js_image_layer.mjs#L55-L90
There was a problem hiding this comment.
Following on this, so the right logic for this would be, we follow the symlink only one level, check if its out of the bindir, and if it is then its not a symlink that stays within the output tree therefore an implementation detail symlink.
Noticed that on MacOS readlink -f goes out the sandbox in some cases