anchore · ariel-miculas · Nov 5, 2024 · Nov 5, 2024 · Nov 6, 2024
diff --git a/go.mod b/go.mod
@@ -91,6 +91,7 @@ require (
 	github.com/OneOfOne/xxhash v1.2.8
 	github.com/adrg/xdg v0.5.3
 	github.com/magiconair/properties v1.8.7
+	github.com/thediveo/procfsroot v1.0.1
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 )
 

diff --git a/go.sum b/go.sum
@@ -327,6 +327,8 @@ github.com/go-restruct/restruct v1.2.0-alpha h1:2Lp474S/9660+SJjpVxoKuWX09JsXHSr
 github.com/go-restruct/restruct v1.2.0-alpha/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -613,6 +615,8 @@ github.com/nwaples/rardecode v1.1.0 h1:vSxaY8vQhOcVr4mm5e8XllHWTiM4JF507A0Katqw7
 github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
+github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -768,6 +772,10 @@ github.com/sylabs/squashfs v1.0.0 h1:xAyMS21ogglkuR5HaY55PCfqY3H32ma9GkasTYo28Zg
 github.com/sylabs/squashfs v1.0.0/go.mod h1:rhWzvgefq1X+R+LZdts10hfMsTg3g74OfGunW8tvg/4=
 github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
 github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
+github.com/thediveo/procfsroot v1.0.1 h1:uJBK+LARIa8fJVyMqgsdZHaK8/XYyLAB0QzQr0zEeIs=
+github.com/thediveo/procfsroot v1.0.1/go.mod h1:COuiAyTYS1iy2NP2Uti9YzTxxWqQlNMD57Xvfn65kIk=
+github.com/thediveo/success v1.0.1 h1:NVwUOwKUwaN8szjkJ+vsiM2L3sNBFscldoDJ2g2tAPg=
+github.com/thediveo/success v1.0.1/go.mod h1:AZ8oUArgbIsCuDEWrzWNQHdKnPbDOLQsWOFj9ynwLt0=
 github.com/therootcompany/xz v1.0.1 h1:CmOtsn1CbtmyYiusbfmhmkpAAETj0wBIH6kCYaX+xzw=
 github.com/therootcompany/xz v1.0.1/go.mod h1:3K3UH1yCKgBneZYhuQUvJ9HPD19UEXEI0BWbMn8qNMY=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=

diff --git a/syft/internal/fileresolver/chroot_context.go b/syft/internal/fileresolver/chroot_context.go
@@ -5,8 +5,12 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 
+	"github.com/thediveo/procfsroot"
+
+	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/syft/internal/windows"
 )
 
@@ -21,21 +25,43 @@ type ChrootContext struct {
 }
 
 func NewChrootContextFromCWD(root, base string) (*ChrootContext, error) {
-	currentWD, err := os.Getwd()
+	var currentWD string
+	var err error
+
+	cleanBase, err := NormalizeBaseDirectory(base)
+	if err != nil {
+		return nil, err
+	}
+
+	inProcfs, err := isPathInProcfsPid(base)
 	if err != nil {
-		return nil, fmt.Errorf("could not get current working directory: %w", err)
+		return nil, err
 	}
 
+	if inProcfs {
+		currentWD, err = getProcfsCwd(cleanBase)
+		if err != nil {
+			return nil, fmt.Errorf("could not get current working directory: %w", err)
+		}
+	} else {
+		currentWD, err = os.Getwd()
+		if err != nil {
+			return nil, fmt.Errorf("could not get current working directory: %w", err)
+		}
+	}
+
+	log.Tracef("cwd: %q", currentWD)
+
 	return NewChrootContext(root, base, currentWD)
 }
 
 func NewChrootContext(root, base, cwd string) (*ChrootContext, error) {
-	cleanRoot, err := NormalizeRootDirectory(root)
+	cleanBase, err := NormalizeBaseDirectory(base)
 	if err != nil {
 		return nil, err
 	}
 
-	cleanBase, err := NormalizeBaseDirectory(base)
+	cleanRoot, err := NormalizeRootDirectory(root, cleanBase)
 	if err != nil {
 		return nil, err
 	}
@@ -49,25 +75,166 @@ func NewChrootContext(root, base, cwd string) (*ChrootContext, error) {
 	return chroot, chroot.ChangeDirectory(cwd)
 }
 
-func NormalizeRootDirectory(root string) (string, error) {
-	cleanRoot, err := filepath.EvalSymlinks(root)
+// Evaluate all the symlinks from source until we find the base path, which we
+// assume it's a new root filesystem (it can be used as a chroot target). From
+// there, all the absolute symbolic links are resolved relative to the base
+// path. We return the path (either relative or absolute) that can be used by
+// the host to access the directory/file inside the chroot.
+//
+// If the base is empty or we are running on Windows, this function returns
+// filepath.Evalsymlinks(source)
+//
+// If the source doesn't contain the base path, we do regular symlink
+// resolution.
+func EvalSymlinksRelativeToBase(source string, base string) (string, error) {
+	var err error
+	var index int
+	var absPath string
+	var path string
+	var resolvedPath string
+
+	// For windows we don't support resolving absolute symlinks inside a
+	// chroot, so we preserve the existing behavior
+	if base == "" || windows.HostRunningOnWindows() {
+		return filepath.EvalSymlinks(source)
+	}
+
+	absBase, err := filepath.Abs(base)
+	if err != nil {
+		return "", err
+	}
+
+	log.Tracef("solving source %q relative to base %q", source, base)
+	source = filepath.Clean(source)
+
+	// we don't support resolving relative paths when the base is a procfs path
+	inProcfs, err := isPathInProcfsPid(absBase)
+	if err != nil {
+		return "", err
+	}
+
+	if inProcfs && !filepath.IsAbs(source) {
+		return "", fmt.Errorf("relative paths are not supported with procfs base")
+	}
+
+	containedPaths := allContainedPaths(source)
+	for index, path = range containedPaths {
+		resolvedPath, err = evalSymlinksExceptProcfs(path)
+		if err != nil {
+			return "", err
+		}
+		absPath, err = filepath.Abs(resolvedPath)
+		if err != nil {
+			return "", err
+		}
+		log.Tracef("path %q absPath %q resolvedPath %q\n", path, absPath, resolvedPath)
+		if strings.HasPrefix(absPath, absBase) {
+			break
+		}
+	}
+
+	// if we don't encounter base, return the resolved path (which could be relative)
+	// note, the absolutePath is absolute, so we don't want to return that one
+	if !strings.HasPrefix(absPath, absBase) {
+		log.Tracef("prefix not found, resolved path = %s", resolvedPath)
+		return resolvedPath, nil
+	}
+
+	chrootPath := strings.TrimPrefix(source, path)
+	if chrootPath == "" {
+		log.Tracef("resolved path = %s", resolvedPath)
+		return resolvedPath, nil
+	}
+
+	log.Tracef("found chroot symlink, chrootPath %q, absPath: %q, base %q, absBase %q, index %d, path %q", chrootPath, absPath, base, absBase, index, path)
+
+	normalizedPath, err := procfsroot.EvalSymlinks(chrootPath, absBase, procfsroot.EvalFullPath)
+	if err != nil {
+		return "", fmt.Errorf("could not evaluate source=%q, base=%q absBase=%q symlinks: %w", source, base, absBase, err)
+	}
+
+	log.Tracef("resolved path = %s", base+normalizedPath)
+	// we use base instead of absBase, since base could be relative
+	// it's the same argument as returning resolvedPath instead of absResolvedPath
+	return base + normalizedPath, nil
+}
+
+func getProcfsCwd(base string) (string, error) {
+	inProcfs, err := isPathInProcfsPid(base)
+	if err != nil {
+		return "", err
+	}
+	if !inProcfs {
+		return "", fmt.Errorf("path %q not in procfs", base)
+	}
+
+	components := strings.Split(base, "/")
+	pidStr := components[2]
+
+	processProcfsCwd := filepath.Join("/proc", pidStr, "cwd")
+	processProcfsCwd, err = os.Readlink(processProcfsCwd)
+	if err != nil {
+		return "", err
+	}
+	log.Tracef("base: %q, processProcfsCwd %q", base, processProcfsCwd)
+	return filepath.Join("/proc", pidStr, "root", processProcfsCwd), nil
+}
+
+func NormalizeRootDirectory(root string, base string) (string, error) {
+	cleanRoot, err := EvalSymlinksRelativeToBase(root, base)
 	if err != nil {
 		return "", fmt.Errorf("could not evaluate root=%q symlinks: %w", root, err)
 	}
+
 	return cleanRoot, nil
 }
 
+func isPathInProcfsPid(path string) (bool, error) {
+	match, err := regexp.MatchString("/proc/[1-9][0-9]*/root", path)
+	if err != nil {
+		return false, err
+	}
+	return match, nil
+}
+
+// If both source and base are absolute we support base being a symlink
+// This is mainly needed for procfs paths, e.g. /proc/PID/root, where
+// PID could be in a different mount namespace, so we can't follow the
+// symlink
+func evalSymlinksExceptProcfs(path string) (string, error) {
+	// don't follow symlink for paths in procfs
+	inProcfs, err := isPathInProcfsPid(path)
+	if err != nil {
+		return "", err
+	}
+	if inProcfs {
+		return path, nil
+	}
+	resolvedPath, err := filepath.EvalSymlinks(path)
+	if err != nil {
+		return "", fmt.Errorf("could not evaluate path=%q err: %w", path, err)
+	}
+	return resolvedPath, nil
+}
+
 func NormalizeBaseDirectory(base string) (string, error) {
+	var cleanBase string
+	var err error
 	if base == "" {
 		return "", nil
 	}
 
-	cleanBase, err := filepath.EvalSymlinks(base)
+	absBase, err := filepath.Abs(base)
+	if err != nil {
+		return "", err
+	}
+
+	cleanBase, err = evalSymlinksExceptProcfs(absBase)
 	if err != nil {
 		return "", fmt.Errorf("could not evaluate base=%q symlinks: %w", base, err)
 	}
 
-	return filepath.Abs(cleanBase)
+	return cleanBase, nil
 }
 
 // Root returns the root path with all symlinks evaluated.
@@ -153,18 +320,7 @@ func (r ChrootContext) ToNativeGlob(chrootPath string) (string, error) {
 		return r.ToNativePath(chrootPath)
 	}
 
-	responsePath := parts[0]
-
-	if filepath.IsAbs(responsePath) {
-		// don't allow input to potentially hop above root path
-		responsePath = path.Join(r.root, responsePath)
-	} else {
-		// ensure we take into account any relative difference between the root path and the CWD for relative requests
-		responsePath = path.Join(r.cwdRelativeToRoot, responsePath)
-	}
-
-	var err error
-	responsePath, err = filepath.Abs(responsePath)
+	responsePath, err := r.ToNativePath(parts[0])
 	if err != nil {
 		return "", err
 	}