fix: remove overly-broad /init suffix detection in IsSystemdImage

rgarcia · rgarcia · commit 824d6e0fbc3d · 2025-12-26T15:22:28.000-05:00
Per review feedback, matching any path ending in /init is too aggressive
since many entrypoint scripts are named 'init'. Now only matches explicit
systemd paths: /sbin/init, /lib/systemd/systemd, /usr/lib/systemd/systemd
diff --git a/lib/images/systemd.go b/lib/images/systemd.go
@@ -1,7 +1,5 @@
 package images
 
-import "strings"
-
 // IsSystemdImage checks if the image's CMD indicates it wants systemd as init.
 // Detection is based on the effective command (entrypoint + cmd), not whether
 // systemd is installed in the image.
@@ -10,17 +8,21 @@ import "strings"
 //   - /sbin/init
 //   - /lib/systemd/systemd
 //   - /usr/lib/systemd/systemd
-//   - Any path ending in /init
 func IsSystemdImage(entrypoint, cmd []string) bool {
-	// Combine to get the actual command that will run
-	effective := append(entrypoint, cmd...)
+	// Combine to get the actual command that will run.
+	// Create a new slice to avoid corrupting caller's backing array.
+	effective := make([]string, 0, len(entrypoint)+len(cmd))
+	effective = append(effective, entrypoint...)
+	effective = append(effective, cmd...)
 	if len(effective) == 0 {
 		return false
 	}
 
 	first := effective[0]
 
-	// Match specific systemd/init paths
+	// Match specific systemd/init paths only.
+	// We intentionally don't match generic */init paths since many entrypoint
+	// scripts are named "init" and would be false positives.
 	systemdPaths := []string{
 		"/sbin/init",
 		"/lib/systemd/systemd",
@@ -32,12 +34,6 @@ func IsSystemdImage(entrypoint, cmd []string) bool {
 		}
 	}
 
-	// Match any absolute path ending in /init (e.g., /usr/sbin/init)
-	// Only match absolute paths to avoid false positives like "./init"
-	if strings.HasPrefix(first, "/") && strings.HasSuffix(first, "/init") {
-		return true
-	}
-
 	return false
 }
 
diff --git a/lib/images/systemd_test.go b/lib/images/systemd_test.go
@@ -38,10 +38,10 @@ func TestIsSystemdImage(t *testing.T) {
 			expected:   true,
 		},
 		{
-			name:       "path ending in /init",
+			name:       "path ending in /init should not match (too broad)",
 			entrypoint: nil,
 			cmd:        []string{"/usr/sbin/init"},
-			expected:   true,
+			expected:   false,
 		},
 		{
 			name:       "regular command (nginx)",

Original file line number	Diff line number	Diff line change
`@@ -38,10 +38,10 @@ func TestIsSystemdImage(t *testing.T) {`
`38`	`38`	`expected: true,`
`39`	`39`	`},`
`40`	`40`	`{`
`41`		`- name: "path ending in /init",`
	`41`	`+ name: "path ending in /init should not match (too broad)",`
`42`	`42`	`entrypoint: nil,`
`43`	`43`	`cmd: []string{"/usr/sbin/init"},`
`44`		`- expected: true,`
	`44`	`+ expected: false,`
`45`	`45`	`},`
`46`	`46`	`{`
`47`	`47`	`name: "regular command (nginx)",`