-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist #1860
Comments
Root cause analysisWhen it walks through the directory tree in directory_indexer.go, and specifically indexTree, it sees the symlink and parses the target here in indexPath(). It then recognizes that this is a new root (target starts with It then tries to index this new root, in the above example Prior to the above commit, it would try to walk the new root, see nothing, and just keep going. The above commit adds this section which checks of the root is a real path. Overall, that is a good thing for RecommendationsIt is my opinion that we should not be following symlinks at all. Either way, it either hinders or doesn't help:
However, if we still desire to have directory parsing, then we should ignore symlinks whose target cannot be found. A somewhat better alternative (more correctly, addition) would be to have an option either to ignore symlinks (thus fitting with my proposed logic above) or follow them. Either way, I think "this symlink points nowhere" is a good reason to skip it. The fix for that is fairly simple as well. When we parse the symlink, here, check if the target exists. If not, do not return the target. if _, err := os.Stat(targetAbsPath); err != nil && errors.Is(err, os.ErrNotExist) {
targetAbsPath = ""
}
return targetAbsPath, nil |
Here is a branch off of latest If you want, I can open a PR from it. |
We're running v0.83.1 which includes the fix but we're getting the errors still:
The errors exist when running with v0.83.0 and v0.83.1 but do not exist on v0.82.0 In our case, we're mounting an image and scanning it, so the CC @selzoc |
Reopened because of a new report from @jpalermo - @anchore/tools |
For anybody else running into this problem. We've worked around it by scanning the mounted image using |
What happened:
Here is a simple test case:
The
link
can point to anywhere, as long as it both starts with/
and does not exist.The error you get will be:
What you expected to happen:
Ideally, it would recognize that
/tmp/syft/link
points outside of the scanned directory and not follow it. At minimal, it should handle it and not fail.Steps to reproduce the issue:
See above.
Anything else we need to know?:
The commit that caused the issue is 6afbffce
Root cause analysis
Coming in an edit
The text was updated successfully, but these errors were encountered: