Merge pull request from GHSA-5mv9-q7fq-9394

fix: respect current remote for actions against library:// URIs (3.7)
sylabs · May 26, 2021 · d52ae9d · d52ae9d
2 parents 6e59f31 + 00d3ad7
commit d52ae9d
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 2 deletions.
diff --git a/cmd/internal/cli/actions.go b/cmd/internal/cli/actions.go
@@ -21,7 +21,6 @@ import (
 	"github.com/sylabs/singularity/internal/pkg/client/oci"
 	"github.com/sylabs/singularity/internal/pkg/client/oras"
 	"github.com/sylabs/singularity/internal/pkg/client/shub"
-	"github.com/sylabs/singularity/internal/pkg/remote/endpoint"
 	"github.com/sylabs/singularity/internal/pkg/util/uri"
 	"github.com/sylabs/singularity/pkg/sylog"
 )
@@ -75,7 +74,8 @@ func handleOras(ctx context.Context, imgCache *cache.Handle, cmd *cobra.Command,
 }
 
 func handleLibrary(ctx context.Context, imgCache *cache.Handle, pullFrom string) (string, error) {
-	c, err := getLibraryClientConfig(endpoint.SCSDefaultLibraryURI)
+	// Pass uri="" to use current remote
+	c, err := getLibraryClientConfig("")
 	if err != nil {
 		return "", err
 	}

diff --git a/e2e/actions/actions.go b/e2e/actions/actions.go
@@ -2198,6 +2198,8 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 		env: env,
 	}
 
+	np := testhelper.NoParallel
+
 	return testhelper.Tests{
 		"action URI":            c.RunFromURI,          // action_URI
 		"exec":                  c.actionExec,          // singularity exec
@@ -2230,5 +2232,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 		"bind image":            c.bindImage,           // test bind image
 		"umask":                 c.actionUmask,         // test umask propagation
 		"no-mount":              c.actionNoMount,       // test --no-mount
+		"invalidRemote":         np(c.invalidRemote),   // GHSA-5mv9-q7fq-9394
 	}
 }
diff --git a/e2e/actions/regressions.go b/e2e/actions/regressions.go
@@ -616,3 +616,69 @@ func (c actionTests) issue5690(t *testing.T) {
 		e2e.ExpectExit(0),
 	)
 }
+
+// If an invalid remote is set, we should not pull a container from the default
+// library.
+// GHSA-5mv9-q7fq-9394
+func (c actionTests) invalidRemote(t *testing.T) {
+	testEndpoint := "invalid"
+	testEndpointURI := "https://cloud.example.com"
+	testImage := "library://alpine"
+
+	// Exec library image from the default remote... ensure it succeeds
+	argv := []string{testImage, "/bin/true"}
+	c.env.RunSingularity(
+		t,
+		e2e.AsSubtest("exec default"),
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("exec"),
+		e2e.WithArgs(argv...),
+		e2e.ExpectExit(0),
+	)
+
+	// Add another endpoint
+	argv = []string{"add", "--no-login", testEndpoint, testEndpointURI}
+	c.env.RunSingularity(
+		t,
+		e2e.AsSubtest("remote add"),
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("remote"),
+		e2e.WithArgs(argv...),
+		e2e.ExpectExit(0),
+	)
+	// Remove test remote when we are done here
+	defer func(t *testing.T) {
+		argv := []string{"remove", testEndpoint}
+		c.env.RunSingularity(
+			t,
+			e2e.AsSubtest("remote remove"),
+			e2e.WithProfile(e2e.UserProfile),
+			e2e.WithCommand("remote"),
+			e2e.WithArgs(argv...),
+			e2e.ExpectExit(0),
+		)
+	}(t)
+
+	// Set as default
+	argv = []string{"use", testEndpoint}
+	c.env.RunSingularity(
+		t,
+		e2e.AsSubtest("remote use"),
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("remote"),
+		e2e.WithArgs(argv...),
+		e2e.ExpectExit(0),
+	)
+
+	// Exec library image from the invalid remote, should fail
+	argv = []string{testImage, "/bin/true"}
+	c.env.RunSingularity(
+		t,
+		e2e.AsSubtest("exec invalid"),
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("exec"),
+		e2e.WithArgs(argv...),
+		e2e.ExpectExit(255),
+	)
+
+}