fix(builtin): don't allow symlinks to escape or enter bazel managed node_module folders #1800
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
88026cc
to
4b648d5
Compare
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
4b648d5
to
94eeb00
Compare
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
94eeb00
to
37038c0
Compare
alexeagle
approved these changes
Apr 8, 2020
There was a problem hiding this comment.
wow, I kinda understand. I wish @soldair was available for review but I think it's good.
Would be nice to have that added test coverage but I guess there's integration test coverage coming from some downstream usecase like jest?
| # escape and no symlinks may enter | ||
| if [ "$(basename ${BAZEL_PATCH_ROOT})" == "execroot" ]; then | ||
| # We are in execroot, linker node_modules is in the PWD | ||
| export BAZEL_PATCH_GUARDS="${PWD}/node_modules" |
There was a problem hiding this comment.
seems like this doesn't work if your node_modules is in a subdirectory, which we support - but I think that's what BAZEL_NODE_MODULES_ROOT is doing below? maybe this needs a comment that we do this in a catch-all case where we don't have a BAZEL_NODE_MODULES_ROOT - but then why does that happen?
There was a problem hiding this comment.
BAZEL_NODE_MODULES_ROOT is the path to the external workspace such as npm/node_modules.
This path is actually the path to the linker symlink node_modules under execroot which should work regardless of where node_modules is.
There was a problem hiding this comment.
BAZEL_NODE_MODULES_ROOT is always set in templated_args above:
env_vars += """if [[ -z "${BAZEL_NODE_MODULES_ROOT:-}" ]]; then
export BAZEL_NODE_MODULES_ROOT=%s
fi
""" % node_modules_root
so below is just a sanity check
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
37038c0
to
c1f2f29
Compare
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
2 times, most recently
from
10bd951
to
ceebe1a
Compare
jbedard
reviewed
Apr 9, 2020
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
3 times, most recently
from
00a4c20
to
23c1500
Compare
filipesilva
added a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 9, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
This was referenced Apr 9, 2020
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1803 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1813 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
23c1500
to
330bebf
Compare
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1813 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
330bebf
to
3212252
Compare
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1813 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
3212252
to
c380f0a
Compare
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1813 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
2 times, most recently
from
46c0343
to
a5e6da4
Compare
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1813 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
added a commit
to gregmagolan/rules_nodejs
that referenced
this pull request
Apr 9, 2020
Issue bazel-contrib#1813 was fixed by bazel-contrib#1800 which is already landed. bazel-contrib#1805 also fixes via a different mechanism and will also land soon.
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
a5e6da4
to
e55d3c3
Compare
gregmagolan
added a commit
that referenced
this pull request
Apr 9, 2020
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
6 times, most recently
from
9773808
to
0209cff
Compare
…ode_module folders
gregmagolan
force-pushed
the
node_symlinks_fixes
branch
from
0209cff
to
0c16611
Compare
filipesilva
added a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 10, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
filipesilva
added a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 10, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
filipesilva
added a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 10, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
Closed
12 tasks
gregmagolan
pushed a commit
to gregmagolan/angular-cli
that referenced
this pull request
Apr 10, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
|
\o sorry for the delay. i somehow missed most of my communication last week |
filipesilva
added a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 16, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
gregmagolan
pushed a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 16, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
filipesilva
added a commit
to filipesilva/angular-cli
that referenced
this pull request
Apr 27, 2020
Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths.
gregmagolan
pushed a commit
to gregmagolan/angular-cli
that referenced
this pull request
Apr 27, 2020
…mmits) Squashed commits: [241a8bc] build: use ts_library macro with common defaults [12b3f3c] build: use @bazel/bazelisk [22792f3] ci: update required status checks [d7dbbab] build: use no-remote-exec tag so test still runs in sandbox Turns out there is a linker bug with no sandbox. [3eeab18] build: run tests depending on webdriver-manager locally [2cf4d32] docs: add bazel jasmine_node_test debug information [c0d3912] build: update to rules_nodejs 1.6.0 [4f0cb97] build: add webdriver-manager update & ngcc to postinstall This is required so that yarn_install can add all generated & downloaded files to the generated bazel filegroups [be1f0ed] ci: use xlarge for bazel tests [27f94da] test: remove non-bazel test setup [d085d5e] build: update yarn lock [3bc6c54] test(@angular/cli): add npm_integration_test [c83a90f] build: add missing npm_package_archive targets [8f72222] test(@angular-devkit/build-ng-packagr): build and test with Bazel [c56b83e] test(@angular-devkit/build-angular): build and test with Bazel [a7e827c] test(@angular-devkit/build-webpack): build and test with Bazel [4e7bcd3] build: use rules_nodejs snapshot Snapshot for bazel-contrib/rules_nodejs#1800, taken from https://github.com/aspect-dev/rules_nodejs-builds/tree/labs. Contains fixes related to the symlink behaviour inside of bazel. Without it, webpack needs to be configured to be aware of symlinks and preserve the paths. [4507c05] build: don't copy root package test folders [8b79f9d] fix(@ngtools/webpack): remove internal markers With these in, we can't access the properties from other Bazel targets. [e1bc6e1] fix(@ngtools/webpack): export VirtualFileSystemDecorator type We shouldn't need to export this, but webpack-rollup-loader uses it. [ffce320] refactor: rename toplevel BUILD to BUILD.bazel [90e5429] build: also validade BUILD.bazel files
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.