Merge pull request moby#5107 from tonistiigi/json-decoder-fix

AkihiroSuda · web-flow · commit 1f3eab8c59ff · 2024-07-02T12:42:50.000+09:00
fix incorrect usage of json.NewDecoder
diff --git a/cache/remotecache/s3/s3.go b/cache/remotecache/s3/s3.go
@@ -408,6 +408,9 @@ func (s3Client *s3Client) getManifest(ctx context.Context, key string, config *v
 	if err := decoder.Decode(config); err != nil {
 		return false, errors.WithStack(err)
 	}
+	if _, err := decoder.Token(); !errors.Is(err, io.EOF) {
+		return false, errors.Errorf("unexpected data after JSON object")
+	}
 
 	return true, nil
 }
diff --git a/executor/runcexecutor/executor.go b/executor/runcexecutor/executor.go
@@ -422,9 +422,13 @@ func (w *runcExecutor) Exec(ctx context.Context, id string, process executor.Pro
 	defer f.Close()
 
 	spec := &specs.Spec{}
-	if err := json.NewDecoder(f).Decode(spec); err != nil {
+	dec := json.NewDecoder(f)
+	if err := dec.Decode(spec); err != nil {
 		return err
 	}
+	if _, err := dec.Token(); !errors.Is(err, io.EOF) {
+		return errors.Errorf("unexpected data after JSON spec object")
+	}
 
 	if process.Meta.User != "" {
 		uid, gid, sgids, err := oci.GetUser(state.Rootfs, process.Meta.User)
diff --git a/exporter/attestation/unbundle.go b/exporter/attestation/unbundle.go
@@ -3,6 +3,7 @@ package attestation
 import (
 	"context"
 	"encoding/json"
+	"io"
 	"os"
 	"path"
 	"strings"
@@ -141,6 +142,9 @@ func unbundle(root string, bundle exporter.Attestation) ([]exporter.Attestation,
 		if err := dec.Decode(&stmt); err != nil {
 			return nil, errors.Wrap(err, "cannot decode in-toto statement")
 		}
+		if _, err := dec.Token(); !errors.Is(err, io.EOF) {
+			return nil, errors.New("in-toto statement is not a single JSON object")
+		}
 		if bundle.InToto.PredicateType != "" && stmt.PredicateType != bundle.InToto.PredicateType {
 			return nil, errors.Errorf("bundle entry %s does not match required predicate type %s", stmt.PredicateType, bundle.InToto.PredicateType)
 		}
diff --git a/frontend/dockerfile/dockerfile_test.go b/frontend/dockerfile/dockerfile_test.go
@@ -185,6 +185,7 @@ var allTests = integration.TestFuncs(
 	testFrontendDeduplicateSources,
 	testDuplicateLayersProvenance,
 	testSourcePolicyWithNamedContext,
+	testInvalidJSONCommands,
 )
 
 // Tests that depend on the `security.*` entitlements
@@ -2053,6 +2054,84 @@ ENTRYPOINT my entrypoint
 	require.Equal(t, []string{"ls", "my entrypoint"}, ociimg.Config.Entrypoint)
 }
 
+func testInvalidJSONCommands(t *testing.T, sb integration.Sandbox) {
+	integration.SkipOnPlatform(t, "windows")
+	f := getFrontend(t, sb)
+
+	dockerfile := []byte(`
+FROM alpine
+RUN ["echo", "hello"]this is invalid
+`)
+
+	dir := integration.Tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	c, err := client.New(sb.Context(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	_, err = f.Solve(sb.Context(), c, client.SolveOpt{
+		LocalMounts: map[string]fsutil.FS{
+			dockerui.DefaultLocalNameDockerfile: dir,
+			dockerui.DefaultLocalNameContext:    dir,
+		},
+	}, nil)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "this is invalid")
+
+	workers.CheckFeatureCompat(t, sb,
+		workers.FeatureDirectPush,
+	)
+
+	registry, err := sb.NewRegistry()
+	if errors.Is(err, integration.ErrRequirements) {
+		t.Skip(err.Error())
+	}
+	require.NoError(t, err)
+
+	target := registry + "/buildkit/testexportdf:multi"
+
+	dockerfile = []byte(`
+FROM alpine
+ENTRYPOINT []random string
+`)
+
+	dir = integration.Tmpdir(
+		t,
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	_, err = f.Solve(sb.Context(), c, client.SolveOpt{
+		Exports: []client.ExportEntry{
+			{
+				Type: client.ExporterImage,
+				Attrs: map[string]string{
+					"name": target,
+					"push": "true",
+				},
+			},
+		},
+		LocalMounts: map[string]fsutil.FS{
+			dockerui.DefaultLocalNameDockerfile: dir,
+			dockerui.DefaultLocalNameContext:    dir,
+		},
+	}, nil)
+	require.NoError(t, err)
+
+	desc, provider, err := contentutil.ProviderFromRef(target)
+	require.NoError(t, err)
+
+	imgs, err := testutil.ReadImages(sb.Context(), provider, desc)
+	require.NoError(t, err)
+
+	require.Len(t, imgs.Images, 1)
+	img := imgs.Images[0].Img
+
+	require.Equal(t, []string{"/bin/sh", "-c", "[]random string"}, img.Config.Entrypoint)
+}
+
 func testPullScratch(t *testing.T, sb integration.Sandbox) {
 	integration.SkipOnPlatform(t, "windows")
 	f := getFrontend(t, sb)
diff --git a/frontend/dockerfile/parser/line_parsers.go b/frontend/dockerfile/parser/line_parsers.go
@@ -282,7 +282,7 @@ func parseJSON(rest string) (*Node, map[string]bool, error) {
 	}
 
 	var myJSON []interface{}
-	if err := json.NewDecoder(strings.NewReader(rest)).Decode(&myJSON); err != nil {
+	if err := json.Unmarshal([]byte(rest), &myJSON); err != nil {
 		return nil, nil, err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -408,6 +408,9 @@ func (s3Client s3Client) getManifest(ctx context.Context, key string, config v`
`408`	`408`	`if err := decoder.Decode(config); err != nil {`
`409`	`409`	`return false, errors.WithStack(err)`
`410`	`410`	`}`
	`411`	`+ if _, err := decoder.Token(); !errors.Is(err, io.EOF) {`
	`412`	`+ return false, errors.Errorf("unexpected data after JSON object")`
	`413`	`+ }`
`411`	`414`
`412`	`415`	`return true, nil`
`413`	`416`	`}`
Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ func parseJSON(rest string) (*Node, map[string]bool, error) {`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`var myJSON []interface{}`
`285`		`- if err := json.NewDecoder(strings.NewReader(rest)).Decode(&myJSON); err != nil {`
	`285`	`+ if err := json.Unmarshal([]byte(rest), &myJSON); err != nil {`
`286`	`286`	`return nil, nil, err`
`287`	`287`	`}`
`288`	`288`