refactor(images): adopt resolve-once pattern, port upstream security tests#461
Merged
Merged
Conversation
…m tests Ditch the SafeRoot god object (12+ methods) in favor of containerd's resolve-once pattern: SafeRoot shrinks to open/resolve/resolve_or_root/ normalize/root_path. Callers use standard std::fs on the resolved PathBuf. Key changes: - Move extraction helpers into LayerExtractor as associated functions - Extract resolve_or_root() and normalize() onto SafeRoot (DRY) - Fix dir finalization to use symlink_metadata instead of exists() - Simplify remove_nofollow, obstacle removal, apply_xattrs - Port containerd/umoci security test cases (symlink escape, whiteout, hardlink, path traversal, circular symlinks, hop limits) - Remove dead dns.rs module, fix build.rs linker comment - Refactor guest /etc bind-mounts to bundle-dir pattern (Docker/containerd)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
std::fson the resolved PathBufLayerExtractoras associated functions instead of scattered free functionssymlink_metadatainstead ofexists()(prevents following replaced symlinks)dns.rsmodule, fixbuild.rslinker comment, refactor guest/etcbind-mounts to bundle-dir patternTest plan
cargo clippyclean on macOS and Linuxcargo testpasses on macOS (662 tests) and Linux (670 tests)