You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When building an image, symbolic links to directories are copied as clones of the directories instead of as symbolic links.
This is problematic for the following reasons:
Security issues and incorrectness. A symlink to /some/unintended/absolute/path/with/sensitive/data/ can end up resolving to a directory outside of the build directory, and so a clone of a directory with sensitive data can end up in the resulting Docker image. A less dangerous version of this issue may be that the container contents will be incorrect.
Duplication of data. This can mean bloated Docker images. Additionally, this can cause issues where some code assumes that modifying data in a symlinked directory will result in changes in all places where that data is being used.
Replicating The Issue
Source directory structure (note a single large file and two symlinks pointing to the directory that contains it):
If I run docker build . from CLI the resulting image is ~100MB in size.
However, when I run the following code, the resulting image is triple the size:
I believe the fix for this would be simple; however, I haven't gotten around to it as I had some issues building the library locally.
The check in this line can be changed from f.isDirectory() to something similar to f.isDirectory() && !Files.isSymbolicLink(Paths.get(f.getAbsolutePath())) and this should resolve the issue.
There is a chance I will create a PR for this issue; however, if someone gets to this first it would be appreciated.
The text was updated successfully, but these errors were encountered:
When building an image, symbolic links to directories are copied as clones of the directories instead of as symbolic links.
This is problematic for the following reasons:
/some/unintended/absolute/path/with/sensitive/data/
can end up resolving to a directory outside of the build directory, and so a clone of a directory with sensitive data can end up in the resulting Docker image. A less dangerous version of this issue may be that the container contents will be incorrect.Replicating The Issue
Source directory structure (note a single large file and two symlinks pointing to the directory that contains it):
Dockerfile contents:
If I run
docker build .
from CLI the resulting image is ~100MB in size.However, when I run the following code, the resulting image is triple the size:
Potential Fix
I believe the fix for this would be simple; however, I haven't gotten around to it as I had some issues building the library locally.
The check in this line can be changed from
f.isDirectory()
to something similar tof.isDirectory() && !Files.isSymbolicLink(Paths.get(f.getAbsolutePath()))
and this should resolve the issue.There is a chance I will create a PR for this issue; however, if someone gets to this first it would be appreciated.
The text was updated successfully, but these errors were encountered: