Merge pull request #988 from snyk/fix/sanitize-workloadMetadata

minsiyang · web-flow · commit 74714daedf87 · 2022-01-12T17:27:35.000Z
RUN-1968 fix: sanitize workload metadata
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/supervisor/metadata-extractor.ts b/src/supervisor/metadata-extractor.ts
@@ -24,6 +24,9 @@ export function buildImageMetadata(
 
   const containerNameToSpec: { [key: string]: V1Container } = {};
   for (const container of podSpec.containers) {
+    delete container.args;
+    delete container.env;
+    delete container.command;
     containerNameToSpec[container.name] = container;
   }
 
diff --git a/test/fixtures/sidecar-containers/deployment.yaml b/test/fixtures/sidecar-containers/deployment.yaml
@@ -48,6 +48,12 @@ spec:
           successThreshold: 1
           timeoutSeconds: 5
         name: hello-world
+        args: [something]
+        env: 
+          - name: NODE_EXTRA_CA_CERTS
+            value: "important info"
+        command:
+          - "do something"
         ports:
         - containerPort: 8080
           name: http
diff --git a/test/unit/supervisor/metadata-extractor.spec.ts b/test/unit/supervisor/metadata-extractor.spec.ts
@@ -124,5 +124,10 @@ describe('metadata extractor tests', () => {
         imageName: 'eu.gcr.io/cookie/hello-world:1.20191125.132107-4664980',
       }),
     );
+    const container = imageMetadataResult[0].podSpec.containers[0];
+
+    expect(container.args).toBeUndefined();
+    expect(container.command).toBeUndefined();
+    expect(container.env).toBeUndefined();
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,9 @@ export function buildImageMetadata(`
`24`	`24`
`25`	`25`	`const containerNameToSpec: { [key: string]: V1Container } = {};`
`26`	`26`	`for (const container of podSpec.containers) {`
	`27`	`+ delete container.args;`
	`28`	`+ delete container.env;`
	`29`	`+ delete container.command;`
`27`	`30`	`containerNameToSpec[container.name] = container;`
`28`	`31`	`}`
`29`	`32`