Check compose file don't use relative paths for bind mount

Signed-off-by: Nicolas De Loof <[email protected]>

Author: ndeloof

internal/commands/build/types.go

@@ -2,6 +2,7 @@ package build
 
 import (
 	"fmt"
+	"path/filepath"
 	"reflect"
 	"strings"
 
@@ -15,8 +16,14 @@ import (
 type ServiceConfig struct {
 	Name string `yaml:"-" json:"-"`
 
-	Build *ImageBuildConfig
-	Image *string
+	Build   *ImageBuildConfig
+	Image   *string
+	Volumes []ServiceVolumeConfig `yaml:",omitempty" json:"volumes,omitempty"`
+}
+
+type ServiceVolumeConfig struct {
+	Type   string `yaml:",omitempty" json:"type,omitempty"`
+	Source string `yaml:",omitempty" json:"source,omitempty"`
 }
 
 type ImageBuildConfig struct {
@@ -46,6 +53,13 @@ func loadServices(servicesDict map[string]interface{}, buildArgs []string) ([]Se
 			return nil, err
 		}
 		services = append(services, *serviceConfig)
+
+		// Sanity check
+		for _, volume := range serviceConfig.Volumes {
+			if volume.Type == "bind" && !filepath.IsAbs(volume.Source) {
+				return nil, fmt.Errorf("invalid service %q: can't use relative path as volume source", name)
+			}
+		}
 	}
 	return services, nil
 }
@@ -57,6 +71,9 @@ func loadService(name string, serviceDict map[string]interface{}, buildArgs []st
 	if err := loader.Transform(serviceDict, serviceConfig, loader.Transformer{
 		TypeOf: reflect.TypeOf(ImageBuildConfig{}),
 		Func:   transformBuildConfig,
+	}, loader.Transformer{
+		TypeOf: reflect.TypeOf(ServiceVolumeConfig{}),
+		Func:   transformVolumeConfig,
 	}); err != nil {
 		return nil, err
 	}
@@ -77,6 +94,22 @@ func transformBuildConfig(data interface{}) (interface{}, error) {
 	}
 }
 
+func transformVolumeConfig(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case string:
+		spec := data.(string)
+		volume, err := loader.ParseVolume(spec)
+		if err != nil {
+			return nil, err
+		}
+		return ServiceVolumeConfig{Type: volume.Type, Source: volume.Source}, nil
+	case map[string]interface{}:
+		return data, nil
+	default:
+		return data, errors.Errorf("invalid type %T for service volume", value)
+	}
+}
+
 func buildArgsToMap(array []string) map[string]string {
 	result := make(map[string]string)
 	for _, value := range array {

internal/packager/init.go

@@ -125,6 +125,50 @@ func checkEnvFiles(errWriter io.Writer, appName string, cfgMap map[string]interf
 	return nil
 }
 
+func checkRelativePaths(cfgMap map[string]interface{}) error {
+	services := cfgMap["services"]
+	servicesMap, ok := services.(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("invalid Compose file")
+	}
+	for svcName, svc := range servicesMap {
+		svcContent, ok := svc.(map[string]interface{})
+		if !ok {
+			return fmt.Errorf("invalid service %q", svcName)
+		}
+		v, ok := svcContent["volumes"]
+		if !ok {
+			continue
+		}
+		volumes, ok := v.([]interface{})
+		if !ok {
+			return fmt.Errorf("invalid Compose file")
+		}
+		for _, volume := range volumes {
+			switch volume.(type) {
+			case string:
+				svol := volume.(string)
+				source := strings.TrimRight(svol, ":")
+				if !filepath.IsAbs(source) {
+					return fmt.Errorf("invalid service %q: can't use relative path as volume source", svcName)
+				}
+			case map[string]interface{}:
+				lvol := volume.(map[string]interface{})
+				src, ok := lvol["source"]
+				if !ok {
+					return fmt.Errorf("invalid volume in service %q", svcName)
+				}
+				if !filepath.IsAbs(src.(string)) {
+					return fmt.Errorf("invalid service %q: can't use relative path as volume source", svcName)
+				}
+			default:
+				return fmt.Errorf("invalid Compose file")
+			}
+		}
+	}
+	return nil
+}
+
 func getParamsFromDefaultEnvFile(composeFile string, composeRaw []byte) (map[string]string, bool, error) {
 	params := make(map[string]string)
 	envs, err := opts.ParseEnvFile(filepath.Join(filepath.Dir(composeFile), ".env"))
@@ -173,6 +217,9 @@ func initFromComposeFile(errWriter io.Writer, name string, composeFile string) e
 	if err := checkEnvFiles(errWriter, name, cfgMap); err != nil {
 		return err
 	}
+	if err := checkRelativePaths(cfgMap); err != nil {
+		return err
+	}
 	params, needsFilling, err := getParamsFromDefaultEnvFile(composeFile, composeRaw)
 	if err != nil {
 		return err

internal/packager/init_test.go

@@ -186,3 +186,39 @@ maintainers:
 	)
 	assert.Assert(t, fs.Equal(tmpdir.Path(), manifest))
 }
+
+func TestInitRelativeVolumePath(t *testing.T) {
+	for _, composeData := range []string{`
+version: '3.7'
+services:
+  nginx:
+    image: nginx
+    volumes:
+      - ./foo:/data
+`,
+		`
+version: '3.7'
+services:
+  nginx:
+    image: nginx
+    volumes:
+      - type: bind
+        source: ./foo
+        target: /data
+`,
+	} {
+		inputDir := fs.NewDir(t, "app_input_",
+			fs.WithFile(internal.ComposeFileName, composeData),
+		)
+		defer inputDir.Remove()
+
+		appName := "my.dockerapp"
+		dir := fs.NewDir(t, "app_",
+			fs.WithDir(appName),
+		)
+		defer dir.Remove()
+
+		err := initFromComposeFile(nil, dir.Join(appName), inputDir.Join(internal.ComposeFileName))
+		assert.ErrorContains(t, err, "can't use relative path")
+	}
+}