[20.10] vendor moby/buildkit v0.8.3-31-gc0149372

full diff: 3a1eeca59a...c014937225

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor.conf

@@ -33,7 +33,7 @@ github.com/imdario/mergo                            1afb36080aec31e0d1528973ebe6
 golang.org/x/sync                                   cd5d95a43a6e21273425c7ae415d3df9ea832eeb
 
 # buildkit
-github.com/moby/buildkit                            3a1eeca59a9263613d996ead67d53a4b7d45723d # v0.8.3-29-g3a1eeca5
+github.com/moby/buildkit                            c014937225cba29cfb1d5161fd134316c0e9bdaa # v0.8.3-31-gc0149372
 github.com/tonistiigi/fsutil                        0834f99b7b85462efb69b4f571a4fa3ca7da5ac9
 github.com/tonistiigi/units                         6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
 github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746

vendor/github.com/moby/buildkit/source/git/gitsource.go

@@ -129,7 +129,11 @@ func (gs *gitSource) mountRemote(ctx context.Context, remote string, auth []stri
 	}()
 
 	if initializeRepo {
-		if _, err := gitWithinDir(ctx, dir, "", "", "", auth, "init", "--bare"); err != nil {
+		// Explicitly set the Git config 'init.defaultBranch' to the
+		// implied default to suppress "hint:" output about not having a
+		// default initial branch name set which otherwise spams unit
+		// test logs.
+		if _, err := gitWithinDir(ctx, dir, "", "", "", auth, "-c", "init.defaultBranch=master", "init", "--bare"); err != nil {
 			return "", nil, errors.Wrapf(err, "failed to init repo at %s", dir)
 		}
 
@@ -485,11 +489,14 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 		if err := os.MkdirAll(checkoutDir, 0711); err != nil {
 			return nil, err
 		}
-		_, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "init")
+		_, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "-c", "init.defaultBranch=master", "init")
 		if err != nil {
 			return nil, err
 		}
-		_, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "remote", "add", "origin", gitDir)
+		// Defense-in-depth: clone using the file protocol to disable local-clone
+		// optimizations which can be abused on some versions of Git to copy unintended
+		// host files into the build context.
+		_, err = gitWithinDir(ctx, checkoutDirGit, "", sock, knownHosts, nil, "remote", "add", "origin", "file://"+gitDir)
 		if err != nil {
 			return nil, err
 		}
@@ -591,6 +598,7 @@ func git(ctx context.Context, dir, sshAuthSock, knownHosts string, args ...strin
 		stdout, stderr := logs.NewLogStreams(ctx, false)
 		defer stdout.Close()
 		defer stderr.Close()
+		args = append([]string{"-c", "protocol.file.allow=user"}, args...) // Block sneaky repositories from using repos from the filesystem as submodules.
 		cmd := exec.Command("git", args...)
 		cmd.Dir = dir // some commands like submodule require this
 		buf := bytes.NewBuffer(nil)
@@ -603,6 +611,8 @@ func git(ctx context.Context, dir, sshAuthSock, knownHosts string, args ...strin
 			"GIT_TERMINAL_PROMPT=0",
 			"GIT_SSH_COMMAND=" + getGitSSHCommand(knownHosts),
 			//	"GIT_TRACE=1",
+			"GIT_CONFIG_NOSYSTEM=1", // Disable reading from system gitconfig.
+			"HOME=/dev/null",        // Disable reading from user gitconfig.
 		}
 		if sshAuthSock != "" {
 			cmd.Env = append(cmd.Env, "SSH_AUTH_SOCK="+sshAuthSock)

vendor/github.com/moby/buildkit/util/contentutil/buffer.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"io/ioutil"
+	"strings"
 	"sync"
 	"time"
 
@@ -18,12 +19,14 @@ import (
 type Buffer interface {
 	content.Provider
 	content.Ingester
+	content.Manager
 }
 
 // NewBuffer returns a new buffer
 func NewBuffer() Buffer {
 	return &buffer{
 		buffers: map[digest.Digest][]byte{},
+		infos:   map[digest.Digest]content.Info{},
 		refs:    map[string]struct{}{},
 	}
 }
@@ -31,9 +34,59 @@ func NewBuffer() Buffer {
 type buffer struct {
 	mu      sync.Mutex
 	buffers map[digest.Digest][]byte
+	infos   map[digest.Digest]content.Info
 	refs    map[string]struct{}
 }
 
+func (b *buffer) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
+	b.mu.Lock()
+	v, ok := b.infos[dgst]
+	b.mu.Unlock()
+	if !ok {
+		return content.Info{}, errdefs.ErrNotFound
+	}
+	return v, nil
+}
+
+func (b *buffer) Update(ctx context.Context, new content.Info, fieldpaths ...string) (content.Info, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	updated, ok := b.infos[new.Digest]
+	if !ok {
+		return content.Info{}, errdefs.ErrNotFound
+	}
+
+	if len(fieldpaths) == 0 {
+		fieldpaths = []string{"labels"}
+	}
+
+	for _, path := range fieldpaths {
+		if strings.HasPrefix(path, "labels.") {
+			if updated.Labels == nil {
+				updated.Labels = map[string]string{}
+			}
+			key := strings.TrimPrefix(path, "labels.")
+			updated.Labels[key] = new.Labels[key]
+			continue
+		}
+		if path == "labels" {
+			updated.Labels = new.Labels
+		}
+	}
+
+	b.infos[new.Digest] = updated
+	return updated, nil
+}
+
+func (b *buffer) Walk(ctx context.Context, fn content.WalkFunc, filters ...string) error {
+	return nil // not implemented
+}
+
+func (b *buffer) Delete(ctx context.Context, dgst digest.Digest) error {
+	return nil // not implemented
+}
+
 func (b *buffer) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
 	var wOpts content.WriterOpts
 	for _, opt := range opts {
@@ -82,6 +135,7 @@ func (b *buffer) addValue(k digest.Digest, dt []byte) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	b.buffers[k] = dt
+	b.infos[k] = content.Info{Digest: k, Size: int64(len(dt))}
 }
 
 type bufferedWriter struct {

vendor/github.com/moby/buildkit/util/contentutil/source.go

@@ -0,0 +1,34 @@
+package contentutil
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/reference"
+)
+
+func HasSource(info content.Info, refspec reference.Spec) (bool, error) {
+	u, err := url.Parse("dummy://" + refspec.Locator)
+	if err != nil {
+		return false, err
+	}
+
+	if info.Labels == nil {
+		return false, nil
+	}
+
+	source, target := u.Hostname(), strings.TrimPrefix(u.Path, "/")
+	repoLabel, ok := info.Labels["containerd.io/distribution.source."+source]
+	if !ok || repoLabel == "" {
+		return false, nil
+	}
+
+	for _, repo := range strings.Split(repoLabel, ",") {
+		// the target repo is not a candidate
+		if repo == target {
+			return true, nil
+		}
+	}
+	return false, nil
+}

vendor/github.com/moby/buildkit/util/imageutil/config.go

@@ -13,6 +13,7 @@ import (
 	"github.com/containerd/containerd/reference"
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
+	"github.com/moby/buildkit/util/contentutil"
 	"github.com/moby/buildkit/util/leaseutil"
 	"github.com/moby/buildkit/util/resolver/retryhandler"
 	digest "github.com/opencontainers/go-digest"
@@ -23,6 +24,7 @@ import (
 type ContentCache interface {
 	content.Ingester
 	content.Provider
+	content.Manager
 }
 
 var leasesMu sync.Mutex
@@ -74,10 +76,15 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co
 	if desc.Digest != "" {
 		ra, err := cache.ReaderAt(ctx, desc)
 		if err == nil {
-			desc.Size = ra.Size()
+			info, err := cache.Info(ctx, desc.Digest)
-			mt, err := DetectManifestMediaType(ra)
 			if err == nil {
-				desc.MediaType = mt
+				if ok, err := contentutil.HasSource(info, ref); err == nil && ok {
+					desc.Size = ra.Size()
+					mt, err := DetectManifestMediaType(ra)
+					if err == nil {
+						desc.MediaType = mt
+					}
+				}
 			}
 		}
 	}
@@ -100,8 +107,14 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co
 
 	children := childrenConfigHandler(cache, platform)
 
+	dslHandler, err := docker.AppendDistributionSourceLabel(cache, ref.String())
+	if err != nil {
+		return "", nil, err
+	}
+
 	handlers := []images.Handler{
 		retryhandler.New(remotes.FetchHandler(cache, fetcher), func(_ []byte) {}),
+		dslHandler,
 		children,
 	}
 	if err := images.Dispatch(ctx, images.Handlers(handlers...), nil, desc); err != nil {