bake: fix BAKE_CMD_CONTEXT relative path resolution

bake/bake.go

@@ -1000,6 +1000,10 @@ func checkPath(p string) error {
 		}
 		return err
 	}
+	p, err = filepath.Abs(p)
+	if err != nil {
+		return err
+	}
 	wd, err := os.Getwd()
 	if err != nil {
 		return err
@@ -1008,7 +1012,8 @@ func checkPath(p string) error {
 	if err != nil {
 		return err
 	}
-	if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+	parts := strings.Split(rel, string(os.PathSeparator))
+	if parts[0] == ".." {
 		return errors.Errorf("path %s is outside of the working directory, please set BAKE_ALLOW_REMOTE_FS_ACCESS=1", p)
 	}
 	return nil

tests/bake.go

@@ -0,0 +1,265 @@
+package tests
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/containerd/continuity/fs/fstest"
+	"github.com/docker/buildx/util/gitutil"
+	"github.com/moby/buildkit/util/testutil/integration"
+	"github.com/stretchr/testify/require"
+)
+
+func bakeCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
+	opts = append([]cmdOpt{withArgs("bake", "--progress=quiet")}, opts...)
+	cmd := buildxCmd(sb, opts...)
+	out, err := cmd.CombinedOutput()
+	return string(out), err
+}
+
+var bakeTests = []func(t *testing.T, sb integration.Sandbox){
+	testBakeRemote,
+	testBakeRemoteCmdContext,
+	testBakeRemoteCmdContextOverride,
+	testBakeRemoteContextSubdir,
+	testBakeRemoteCmdContextEscapeRoot,
+	testBakeRemoteCmdContextEscapeRelative,
+}
+
+func testBakeRemote(t *testing.T, sb integration.Sandbox) {
+	bakefile := []byte(`
+target "default" {
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dir))
+	require.NoError(t, err)
+
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl", "foo")
+	gitutil.GitCommit(git, t, "initial commit")
+	addr := gitutil.GitServeHTTP(git, t)
+
+	out, err := bakeCmd(sb, withDir(dir), withArgs(addr, "--set", "*.output=type=local,dest="+dirDest))
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest, "foo"))
+}
+
+func testBakeRemoteCmdContext(t *testing.T, sb integration.Sandbox) {
+	bakefile := []byte(`
+target "default" {
+	context = BAKE_CMD_CONTEXT
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	dirSpec := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+	)
+	dirSrc := tmpdir(
+		t,
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dirSpec))
+	require.NoError(t, err)
+
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl")
+	gitutil.GitCommit(git, t, "initial commit")
+	addr := gitutil.GitServeHTTP(git, t)
+
+	out, err := bakeCmd(sb, withDir(dirSrc), withArgs(addr, "--set", "*.output=type=local,dest="+dirDest))
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest, "foo"))
+}
+
+func testBakeRemoteCmdContextOverride(t *testing.T, sb integration.Sandbox) {
+	bakefile := []byte(`
+target "default" {
+	context = BAKE_CMD_CONTEXT
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	dirSpec := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+	)
+	dirSrc := tmpdir(
+		t,
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+	dirDest := t.TempDir()
+
+	gitSpec, err := gitutil.New(gitutil.WithWorkingDir(dirSpec))
+	require.NoError(t, err)
+	gitutil.GitInit(gitSpec, t)
+	gitutil.GitAdd(gitSpec, t, "docker-bake.hcl")
+	gitutil.GitCommit(gitSpec, t, "initial commit")
+	addrSpec := gitutil.GitServeHTTP(gitSpec, t)
+
+	gitSrc, err := gitutil.New(gitutil.WithWorkingDir(dirSrc))
+	require.NoError(t, err)
+	gitutil.GitInit(gitSrc, t)
+	gitutil.GitAdd(gitSrc, t, "foo")
+	gitutil.GitCommit(gitSrc, t, "initial commit")
+	addrSrc := gitutil.GitServeHTTP(gitSrc, t)
+
+	out, err := bakeCmd(sb, withDir("/tmp"), withArgs(addrSpec, addrSrc, "--set", "*.output=type=local,dest="+dirDest))
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest, "foo"))
+}
+
+// https://github.com/docker/buildx/issues/1738
+func testBakeRemoteContextSubdir(t *testing.T, sb integration.Sandbox) {
+	bakefile := []byte(`
+target default {
+	context = "./bar"
+}
+`)
+	dockerfile := []byte(`
+FROM scratch
+COPY super-cool.txt /
+`)
+
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateDir("bar", 0700),
+		fstest.CreateFile("bar/Dockerfile", dockerfile, 0600),
+		fstest.CreateFile("bar/super-cool.txt", []byte("super cool"), 0600),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dir))
+	require.NoError(t, err)
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl", "bar")
+	gitutil.GitCommit(git, t, "initial commit")
+	addr := gitutil.GitServeHTTP(git, t)
+
+	out, err := bakeCmd(sb, withDir("/tmp"), withArgs(addr, "--set", "*.output=type=local,dest="+dirDest))
+	require.NoError(t, err, out)
+
+	require.FileExists(t, filepath.Join(dirDest, "super-cool.txt"))
+}
+
+func testBakeRemoteCmdContextEscapeRoot(t *testing.T, sb integration.Sandbox) {
+	dirSrc := tmpdir(
+		t,
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+	)
+	dirSrc, err := filepath.Abs(dirSrc)
+	require.NoError(t, err)
+
+	dirCurrent := tmpdir(t)
+	dirCurrent, err = filepath.Abs(dirCurrent)
+	require.NoError(t, err)
+
+	bakefile := []byte(`
+target "default" {
+	context = "cwd://` + dirSrc + `"
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	dirSpec := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dirSpec))
+	require.NoError(t, err)
+
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl")
+	gitutil.GitCommit(git, t, "initial commit")
+	addr := gitutil.GitServeHTTP(git, t)
+
+	out, err := bakeCmd(
+		sb,
+		withDir(dirCurrent),
+		withArgs(addr, "--set", "*.output=type=local,dest="+dirDest),
+	)
+	require.Error(t, err, out)
+	require.Contains(t, out, "outside of the working directory, please set BAKE_ALLOW_REMOTE_FS_ACCESS")
+
+	out, err = bakeCmd(
+		sb,
+		withDir(dirCurrent),
+		withArgs(addr, "--set", "*.output=type=local,dest="+dirDest),
+		withEnv("BAKE_ALLOW_REMOTE_FS_ACCESS=1"),
+	)
+	require.NoError(t, err, out)
+	require.FileExists(t, filepath.Join(dirDest, "foo"))
+}
+
+func testBakeRemoteCmdContextEscapeRelative(t *testing.T, sb integration.Sandbox) {
+	bakefile := []byte(`
+target "default" {
+	context = "cwd://../"
+	dockerfile-inline = <<EOT
+FROM scratch
+COPY foo /foo
+EOT
+}
+`)
+	dirSpec := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+	)
+	dirSrc := tmpdir(
+		t,
+		fstest.CreateFile("foo", []byte("foo"), 0600),
+		fstest.CreateDir("subdir", 0700),
+	)
+	dirDest := t.TempDir()
+
+	git, err := gitutil.New(gitutil.WithWorkingDir(dirSpec))
+	require.NoError(t, err)
+
+	gitutil.GitInit(git, t)
+	gitutil.GitAdd(git, t, "docker-bake.hcl")
+	gitutil.GitCommit(git, t, "initial commit")
+	addr := gitutil.GitServeHTTP(git, t)
+
+	out, err := bakeCmd(
+		sb,
+		withDir(filepath.Join(dirSrc, "subdir")),
+		withArgs(addr, "--set", "*.output=type=local,dest="+dirDest),
+	)
+	require.Error(t, err, out)
+	require.Contains(t, out, "outside of the working directory, please set BAKE_ALLOW_REMOTE_FS_ACCESS")
+
+	out, err = bakeCmd(
+		sb,
+		withDir(filepath.Join(dirSrc, "subdir")),
+		withArgs(addr, "--set", "*.output=type=local,dest="+dirDest),
+		withEnv("BAKE_ALLOW_REMOTE_FS_ACCESS=1"),
+	)
+	require.NoError(t, err, out)
+	require.FileExists(t, filepath.Join(dirDest, "foo"))
+}

tests/build.go

@@ -19,9 +19,9 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func buildCmd(sb integration.Sandbox, args ...string) (string, error) {
-	args = append([]string{"build", "--progress=quiet"}, args...)
-	cmd := buildxCmd(sb, args...)
+func buildCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
+	opts = append([]cmdOpt{withArgs("build", "--progress=quiet")}, opts...)
+	cmd := buildxCmd(sb, opts...)
 	out, err := cmd.CombinedOutput()
 	return string(out), err
 }
@@ -36,13 +36,13 @@ var buildTests = []func(t *testing.T, sb integration.Sandbox){
 
 func testBuild(t *testing.T, sb integration.Sandbox) {
 	dir := createTestProject(t)
-	out, err := buildCmd(sb, dir)
+	out, err := buildCmd(sb, withArgs(dir))
 	require.NoError(t, err, string(out))
 }
 
 func testBuildLocalExport(t *testing.T, sb integration.Sandbox) {
 	dir := createTestProject(t)
-	out, err := buildCmd(sb, fmt.Sprintf("--output=type=local,dest=%s/result", dir), dir)
+	out, err := buildCmd(sb, withArgs(fmt.Sprintf("--output=type=local,dest=%s/result", dir), dir))
 	require.NoError(t, err, string(out))
 
 	dt, err := os.ReadFile(dir + "/result/bar")
@@ -52,7 +52,7 @@ func testBuildLocalExport(t *testing.T, sb integration.Sandbox) {
 
 func testBuildTarExport(t *testing.T, sb integration.Sandbox) {
 	dir := createTestProject(t)
-	out, err := buildCmd(sb, fmt.Sprintf("--output=type=tar,dest=%s/result.tar", dir), dir)
+	out, err := buildCmd(sb, withArgs(fmt.Sprintf("--output=type=tar,dest=%s/result.tar", dir), dir))
 	require.NoError(t, err, string(out))
 
 	dt, err := os.ReadFile(fmt.Sprintf("%s/result.tar", dir))
@@ -74,7 +74,7 @@ func testBuildRegistryExport(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 	target := registry + "/buildx/registry:latest"
 
-	out, err := buildCmd(sb, fmt.Sprintf("--output=type=image,name=%s,push=true", target), dir)
+	out, err := buildCmd(sb, withArgs(fmt.Sprintf("--output=type=image,name=%s,push=true", target), dir))
 	require.NoError(t, err, string(out))
 
 	desc, provider, err := contentutil.ProviderFromRef(target)
@@ -92,11 +92,9 @@ func testBuildRegistryExport(t *testing.T, sb integration.Sandbox) {
 func testImageIDOutput(t *testing.T, sb integration.Sandbox) {
 	dockerfile := []byte(`FROM busybox:latest`)
 
-	dir, err := tmpdir(t,
+	dir := tmpdir(t,
 		fstest.CreateFile("Dockerfile", dockerfile, 0600),
 	)
-	require.NoError(t, err)
-
 	targetDir := t.TempDir()
 
 	outFlag := "--output=type=docker"
@@ -106,12 +104,14 @@ func testImageIDOutput(t *testing.T, sb integration.Sandbox) {
 		outFlag += ",dest=" + targetDir + "/image.tar"
 	}
 
-	cmd := buildxCmd(sb, "build", "-q", outFlag, "--iidfile", filepath.Join(targetDir, "iid.txt"), "--metadata-file", filepath.Join(targetDir, "md.json"), dir)
+	cmd := buildxCmd(
+		sb,
+		withArgs("build", "-q", outFlag, "--iidfile", filepath.Join(targetDir, "iid.txt"), "--metadata-file", filepath.Join(targetDir, "md.json"), dir),
+	)
 	stdout := bytes.NewBuffer(nil)
 	cmd.Stdout = stdout
 	cmd.Stderr = os.Stderr
-	err = cmd.Run()
-
+	err := cmd.Run()
 	require.NoError(t, err)
 
 	dt, err := os.ReadFile(filepath.Join(targetDir, "iid.txt"))
@@ -148,11 +148,10 @@ RUN cp /etc/foo /etc/bar
 FROM scratch
 COPY --from=base /etc/bar /bar
 `)
-	dir, err := tmpdir(
+	dir := tmpdir(
 		t,
 		fstest.CreateFile("Dockerfile", dockerfile, 0600),
 		fstest.CreateFile("foo", []byte("foo"), 0600),
 	)
-	require.NoError(t, err)
 	return dir
 }

tests/inspect.go

@@ -8,9 +8,9 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func inspectCmd(sb integration.Sandbox, args ...string) (string, error) {
-	args = append([]string{"inspect"}, args...)
-	cmd := buildxCmd(sb, args...)
+func inspectCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
+	opts = append([]cmdOpt{withArgs("inspect")}, opts...)
+	cmd := buildxCmd(sb, opts...)
 	out, err := cmd.CombinedOutput()
 	return string(out), err
 }